CVE-2025-23857
Published: 14 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23857 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79. It affects the Essential WP Real Estate WordPress plugin developed by SmartDataSoft (essential-wp-real-estate), impacting all versions from n/a through 1.1.3 inclusive. The issue was published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity and no required privileges, though user interaction is necessary. Remote attackers can exploit it by tricking authenticated or unauthenticated users—such as site visitors—into interacting with malicious input, like a crafted URL. This leads to arbitrary script execution in the victim's browser context, with changed scope enabling low impacts on confidentiality, integrity, and availability.
The Patchstack advisory provides details on this reflected XSS issue in Essential WP Real Estate plugin version 1.1.3, accessible at https://patchstack.com/database/Wordpress/Plugin/essential-wp-real-estate/vulnerability/wordpress-essential-wp-real-estate-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should review it for recommended mitigations, such as applying available patches or updates beyond version 1.1.3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS via crafted URLs enables drive-by compromise (T1189) when users visit the vulnerable site; the attack vector of tricking users with malicious links aligns with spearphishing link delivery (T1566.002).