CVE-2025-23850
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23850 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Mojo Under Construction WordPress plugin by mojowill. This issue affects the plugin from unknown initial versions through version 1.1.2 inclusive. The vulnerability was published on 2025-03-03.
The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with changed scope and low impacts on confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with malicious input, such as clicking a crafted link, leading to execution of arbitrary JavaScript in the victim's browser context.
The Patchstack advisory provides further details on the vulnerability in the WordPress Mojo Under Construction plugin version 1.1.2, including remediation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/mojo-under-construction/vulnerability/wordpress-mojo-under-construction-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin allows remote attackers to execute arbitrary JavaScript in the victim's browser by exploiting the web application (T1190) and using JavaScript as a scripting interpreter (T1059.007).