CVE-2025-23889
Published: 24 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23889 is an Improper Neutralization of Input During Web Page Generation vulnerability, manifesting as a Reflected Cross-site Scripting (XSS) issue under CWE-79. It affects the FooGallery Captions WordPress plugin (foogallery-captions) by tormorten, impacting all versions from n/a through 1.0.2 inclusive. The vulnerability was published on 2025-01-24.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers without authentication can exploit it to inject and execute arbitrary scripts in users' browsers within the context of the affected site, potentially compromising session data or performing actions on behalf of the victim, with low impacts to confidentiality, integrity, and availability due to the changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/foogallery-captions/vulnerability/wordpress-foogallery-captions-plugin-1-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS directly enables arbitrary JavaScript execution in the victim's browser (T1059.007) and facilitates delivery via crafted malicious links in spearphishing attacks (T1566.002).