CVE-2025-23812
Published: 22 January 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23812 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the WordPress plugin Contact Form 7 Round Robin Lead Distribution (contact-form-7-round-robin-lead-distribution) in all versions up to and including 1.2.1. Published on 2025-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.
Remote attackers with no privileges can exploit this vulnerability over the network by crafting malicious input that reflects unsanitized on a web page, tricking users into interacting with it, such as via a phishing link or form submission. Successful exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, enabling low-impact compromise of confidentiality, integrity, and availability, such as session hijacking or minor data theft within the site's domain.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-round-robin-lead-distribution/vulnerability/wordpress-contact-form-7-round-robin-lead-distribution-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web application (T1190) to execute arbitrary JavaScript in the victim's browser (T1059.007), facilitating session hijacking (T1185) via crafted phishing links as described.