CVE-2025-23866

CVE-2025-23866 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the EU DSGVO Helper WordPress plugin by E. Marten. The issue affects all versions of the plugin from unknown initial release through 1.0.6.1 inclusive. Published on 2025-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity, though it requires user interaction such as following a malicious link. Exploitation results in a change of scope, enabling low-level impacts on confidentiality, integrity, and availability, potentially allowing arbitrary script execution in the context of the affected web page.

The Patchstack advisory provides details on this WordPress plugin vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/dsgvo/vulnerability/wordpress-eu-dsgvo-helper-plugin-1-0-6-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, including guidance on mitigation and patching.