Cyber Posture

CVE-2025-23964

High

Published: 26 March 2025

Published
26 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0012 29.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

Security Summary

CVE-2025-23964 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the ajitae Google Plus (google-plus-google) WordPress plugin. This issue impacts all versions from n/a through 1.0.2. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-03-26T15:16:07.173.

Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges, though it necessitates user interaction such as clicking a malicious link. Exploitation enables script injection into dynamically generated web pages, achieving low impacts on confidentiality, integrity, and availability within a changed scope.

Patchstack documents this Reflected XSS vulnerability in their database entry for the WordPress Google Plus plugin version 1.0.2.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing apps) and is delivered via malicious links matching T1566.002.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References