CVE-2025-23984
Published: 03 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23984 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Dynamic URL SEO WordPress plugin developed by brainvireinfo. The flaw affects the plugin from unknown initial versions through 1.0 inclusive, enabling attackers to inject malicious scripts via unsanitized input reflected in web page generation.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and user interaction, such as tricking a site visitor or administrator into following a malicious link. Successful exploitation changes the security scope, allowing script execution in the victim's browser context and resulting in low impacts to confidentiality, integrity, and availability, such as potential session hijacking or data theft from the affected user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/dynamic-url-seo/vulnerability/wordpress-dynamic-url-seo-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing apps (T1190) via crafted malicious links (T1204.001) that inject/execute JavaScript in browser context (T1059.007).