CVE-2025-23839
Published: 24 January 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-23839 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the Sticky Button WordPress plugin (sticky-chat-button) developed by Asif Shakeel. This issue affects all versions of the plugin from unknown initial release through 1.0 inclusive. The vulnerability was published on 2025-01-24.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation, with changed scope and low impacts to confidentiality, integrity, and availability. Attackers can submit malicious input through the plugin, which is stored and executed as JavaScript in the browser context of users viewing affected pages, such as site visitors interacting with the sticky chat button feature.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sticky-chat-button/vulnerability/wordpress-sticky-button-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Stored XSS vulnerability in Sticky Button plugin version 1.0 for WordPress. Security practitioners should review this reference for detailed analysis and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application for initial access via malicious input submission; facilitates T1189 Drive-by Compromise as stored JS executes in visitors' browsers upon page view.