CVE-2025-23798
Published: 22 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23798 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ElbowRobo Mass Messaging in BuddyPress WordPress plugin (mass-messaging-in-buddypress). It affects all versions from n/a through 2.2.1.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by tricking users into interacting with crafted input reflected in web pages, enabling arbitrary script execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/mass-messaging-in-buddypress/vulnerability/wordpress-mass-messaging-in-buddypress-plugin-2-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in version 2.2.1, providing details for security practitioners to assess and address exposure in affected WordPress environments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) via malicious links (T1204.001) that execute arbitrary JavaScript in the victim's browser (T1059.007).