CVE-2025-23851
Published: 14 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23851 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Coronavirus (COVID-19) Outbreak Data Widgets by Khushwant Singh. The vulnerability affects all versions of the plugin up to and including 1.1.1. It was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The attack requires a remote, unauthenticated attacker to craft a malicious input that is reflected back in a web page, tricking a user into interacting with it, such as by visiting a specially crafted URL. Upon successful exploitation, the attacker can execute arbitrary scripts in the victim's browser context, potentially leading to low-level impacts on confidentiality, integrity, and availability, with a scope change that affects the site's users.
Mitigation details are documented in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/coronavirus-data-widgets/vulnerability/wordpress-coronavirus-covid-19-outbreak-data-widgets-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a reflected XSS (CWE-79) in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) via crafted malicious input in URLs and facilitating T1059.007 (JavaScript) for arbitrary script execution in the victim's browser context.