CVE-2025-23960
Published: 23 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-23960, published on 2025-01-23, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the WordPress plugin "Save & Import Image from URL" developed by basteln3rk, impacting all versions from n/a through 0.7 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with crafted input, resulting in reflected XSS execution in the victim's browser context with changed scope, enabling low-level impacts on confidentiality, integrity, and availability, such as session token theft or malicious script injection.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/save-import-image-from-url/vulnerability/wordpress-save-import-image-from-url-plugin-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in this WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The reflected XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates session token theft via malicious script injection in the victim's browser (T1539).