CVE-2025-23835
Published: 23 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23835 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Legal + WordPress plugin (also referred to as legal-plus) developed by jmraya. This issue impacts all versions of the plugin from n/a through 1.0 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low attack complexity, no required privileges, but necessitating user interaction such as clicking a malicious link. Attackers can trick authenticated or unauthenticated users into executing arbitrary scripts in their browsers within the context of the vulnerable site, potentially leading to limited impacts on confidentiality (e.g., session hijacking), integrity, and availability with a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/legal-plus/vulnerability/wordpress-legal-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS vulnerability in the Legal + WordPress plugin version 1.0 and provides details on affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of web app (T1190), arbitrary JavaScript execution in browser (T1059.007), and delivery via malicious links (T1204.001) or spearphishing (T1566.002).