CVE-2025-23790
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23790 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the wassereimer Easy Code Placement WordPress plugin. This issue affects all versions from n/a through 18.11 and was published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, and user interaction needed. Remote attackers can exploit it by delivering malicious payloads via reflected inputs on web pages, tricking victims into interacting (such as clicking links). Successful exploitation executes arbitrary JavaScript in the victim's browser context, enabling low impacts on confidentiality, integrity, and availability with a changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/easy-code-placement/vulnerability/wordpress-easy-code-placement-plugin-18-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in browser via malicious links.