CVE-2025-23867
Published: 22 January 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23867 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the markcoker WordPress File Search plugin (wpfilesearch). This issue affects the plugin from unknown initial versions through version 1.2 inclusive. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges required, though it necessitates user interaction such as clicking a malicious link. Upon successful exploitation, adversaries achieve limited impacts on confidentiality, integrity, and availability, with a changed scope that allows script execution in the victim's browser context, potentially leading to session hijacking or data theft within the site's origin.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpfilesearch/vulnerability/wordpress-wordpress-file-search-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the Reflected XSS vulnerability in WordPress File Search plugin version 1.2, providing information on the issue for mitigation purposes.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing app via crafted URL), requires user interaction with malicious link for T1204.001, and facilitates T1185 (browser session hijacking via script execution in victim context).