CVE-2025-23847
Published: 03 March 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23847 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the Site Launcher WordPress plugin, also referred to as saill Site Launcher site-launcher, in all versions up to and including 0.9.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers with no privileges can exploit it over the network with low attack complexity by tricking authenticated users into performing actions such as visiting a malicious URL or submitting crafted input that gets reflected unsanitized on the page. Exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, enabling limited impacts on confidentiality, integrity, and availability, such as session hijacking or data exfiltration.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/site-launcher/vulnerability/wordpress-site-launcher-plugin-0-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents this Reflected XSS issue specifically in Site Launcher version 0.9.4.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JS execution in browser via crafted malicious URL (facilitates T1189 Drive-by Compromise); explicitly supports session hijacking via cookie theft (T1539 Steal Web Session Cookie).