CVE-2025-23882
Published: 22 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23882 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WP Download Codes WordPress plugin by misanthrop (wp-download-codes). It affects all versions from n/a through 2.5.4. Published on 2025-01-22T15:15:25.123, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, though it requires user interaction such as clicking a malicious link. Successful exploitation allows injection of arbitrary scripts into web pages viewed by victims, potentially leading to low-level impacts on confidentiality, integrity, and availability within a changed scope.
The Patchstack advisory documents the Reflected XSS issue in WP Download Codes version 2.5.4 and is available at https://patchstack.com/database/Wordpress/Plugin/wp-download-codes/vulnerability/wordpress-wp-download-codes-plugin-2-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a reflected XSS vulnerability in a public-facing WordPress plugin exploitable remotely by unauthenticated attackers via crafted links, directly mapping to exploitation of public-facing applications.