CVE-2025-23905
Published: 14 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23905 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Admin Options Pages WordPress plugin developed by Johannes van Poelgeest. The flaw affects all versions of the plugin from an unspecified initial release through 0.9.7.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with changed scope and low impacts on confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated users, such as site administrators, into interacting with maliciously crafted input reflected in admin pages, potentially leading to script execution in the victim's browser context.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/admin-options-pages/vulnerability/wordpress-admin-options-pages-plugin-0-9-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which details the Reflected XSS issue in version 0.9.7.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in WordPress admin plugin enables script injection/execution in authenticated user's browser via crafted URL, directly facilitating public-facing web app exploitation (T1190) and browser session hijacking (T1185).