CVE-2025-23956
Published: 03 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23956 is a Reflected Cross-site Scripting (XSS) vulnerability, stemming from CWE-79 (Improper Neutralization of Input During Web Page Generation), in the WP Easy Post Mailer plugin (wp-mailer) developed by Richard Leishman. The flaw affects all versions of the plugin from its initial release through 0.64, allowing malicious input to be reflected and executed as script in users' browsers.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited by unauthenticated remote attackers over the network with low complexity, though it requires user interaction such as clicking a crafted link or visiting a malicious page. Exploitation enables arbitrary script execution in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability, but with changed scope that could affect server resources or other users.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-mailer/vulnerability/wordpress-wp-easy-post-mailer-plugin-0-64-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary JavaScript execution in the victim's browser (T1059.007).