CVE-2025-23852
Published: 03 March 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-23852 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as defined by CWE-79, in the First Comment Redirect WordPress plugin developed by robin90. This issue affects the plugin from its initial release through version 1.0.3.
The vulnerability carries a CVSS v3.1 base score of 7.1 (High) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. Remote attackers require no privileges and face low attack complexity but must trick users into interacting, such as via a malicious link or comment. Exploitation reflects attacker-controlled input as executable scripts in the victim's browser, with changed scope enabling low-level impacts on confidentiality, integrity, and availability, such as limited data theft or page manipulation.
Patchstack documents this vulnerability in their database for the First Comment Redirect WordPress plugin up to version 1.0.3, accessible at https://patchstack.com/database/Wordpress/Plugin/first-comment-redirect/vulnerability/wordpress-first-comment-redirect-plugin-1-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Practitioners should review the advisory for specific mitigation steps, including potential plugin updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability allows crafting malicious links that execute arbitrary scripts in the victim's browser upon interaction, directly facilitating drive-by compromise attacks on users of the vulnerable WordPress site.