CVE-2025-23885
Published: 24 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23885 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the MJ Contact Us WordPress plugin by anildhiman. The issue affects all versions of the plugin from n/a through 5.2.3, enabling attackers to inject malicious scripts via unsanitized input reflected in web page generation.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network with low attack complexity and no required privileges, though it demands user interaction such as clicking a malicious link. Any unauthenticated attacker can trick victims into triggering the XSS payload on sites running vulnerable plugin versions, achieving low impacts on confidentiality, integrity, and availability within a changed scope, typically allowing script execution in the victim's browser context.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mj-contact-us/vulnerability/wordpress-mj-contact-us-plugin-5-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007) when triggered by a crafted malicious link requiring user interaction (T1204.001).