CVE-2025-23814

CVE-2025-23814 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the CRUDLab Like Box WordPress plugin (crudlab-facebook-like-box). Published on 2025-03-03, it affects all versions from n/a through 2.0.9.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low attack complexity by tricking authenticated users into performing an action, such as visiting a maliciously crafted URL. Successful exploitation enables script execution in the victim's browser context, potentially allowing limited impacts to confidentiality, integrity, and availability within a changed security scope.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/crudlab-facebook-like-box/vulnerability/wordpress-crudlab-like-box-plugin-2-0-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, provide details on the vulnerability for WordPress administrators.