CVE-2025-23966
Published: 22 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23966 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the "a Gateway for Pasargad Bank on WooCommerce" WordPress plugin by Ala Falaki. The issue affects the plugin in all versions from n/a through 2.5.2.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely over the network by unauthenticated attackers using low-complexity methods that require user interaction, such as clicking a malicious link. Successful exploitation enables arbitrary script execution in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/a-gateway-for-pasargad-bank-on-woocommerce/vulnerability/wordpress-a-gateway-for-pasargad-bank-on-woocommerce-plugin-2-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve details the Cross-site Scripting vulnerability in the "a Gateway for Pasargad Bank on WooCommerce" WordPress plugin up to version 2.5.2.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of web app (T1190) via malicious link requiring user click (T1204.001), commonly delivered through spearphishing (T1566.002).