CVE-2025-23881
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-23881 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79. It affects the LJ Custom Menu Links WordPress plugin (lj-custom-menu-links) developed by littlejon, impacting all versions from n/a through 2.5 inclusive. The vulnerability was published on 2025-03-03.
Attackers can exploit this over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), resulting in a changed scope (S:C) and low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), for a CVSS v3.1 base score of 7.1. Any unauthenticated remote attacker could craft malicious input reflected in web pages, tricking users into triggering XSS via links or inputs processed by the plugin, potentially executing scripts in the victim's browser session.
Patchstack advisories document the reflected XSS vulnerability specifically in LJ Custom Menu Links plugin version 2.5, available at https://patchstack.com/database/Wordpress/Plugin/lj-custom-menu-links/vulnerability/wordpress-lj-custom-menu-links-plugin-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for detailed mitigation steps and patch availability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) for client-side script execution in browser (T1203).