CVE-2025-23920
Published: 03 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23920 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the ApplicantPro WordPress plugin developed by Sourcing Team, with the issue present in versions from n/a through 1.3.9.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible over the network with low complexity and no privileges required, though it demands user interaction such as clicking a malicious link. Remote attackers can deliver payloads via reflected inputs, executing arbitrary scripts in the victim's browser within a changed scope, potentially compromising low levels of confidentiality (e.g., session data theft), integrity (e.g., page manipulation), and availability.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/applicantpro/vulnerability/wordpress-applicantpro-plugin-1-3-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS in the ApplicantPro WordPress plugin up to version 1.3.9, providing details for practitioners to assess and address the risk through updates or other recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) via network-delivered payloads and facilitates T1566.002 (Spearphishing Link) as the primary attack vector requiring user interaction with malicious URLs.