CVE-2025-23429
Published: 16 January 2025
Summary
CVE-2025-23429 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the reflected XSS vulnerability by identifying, prioritizing, and applying timely patches or updates to the affected Altima Lookbook Free for WooCommerce plugin versions up to 1.1.0.
Prevents XSS exploitation by filtering and encoding untrusted outputs generated during web page rendering in the vulnerable WordPress plugin.
Addresses the root cause of reflected XSS by validating and sanitizing user inputs before they are processed and reflected by the plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser, directly facilitating browser session hijacking (T1185) and stealing web session cookies (T1539) as described for session hijacking and data exfiltration.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in altima-interactive Altima Lookbook Free for WooCommerce altima-lookbook-free-for-woocommerce allows Reflected XSS.This issue affects Altima Lookbook Free for WooCommerce: from n/a through <= 1.1.0.
Deeper analysisAI
CVE-2025-23429 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as reflected Cross-site Scripting (XSS, CWE-79), in the Altima Lookbook Free for WooCommerce WordPress plugin by altima-interactive. Published on 2025-01-16, it affects all versions of the plugin from n/a through 1.1.0.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity, though it requires user interaction such as clicking a malicious link. Successful exploitation allows injection and execution of arbitrary JavaScript in the victim's browser, enabling low-impact confidentiality, integrity, and availability effects with changed scope, such as session hijacking or data exfiltration from the targeted user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/altima-lookbook-free-for-woocommerce/vulnerability/wordpress-altima-lookbook-free-for-woocommerce-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve documents the issue in detail for WordPress plugin users. Mitigation guidance from such advisories typically recommends updating to a version beyond 1.1.0 or disabling the plugin if no patch is available.
Details
- CWE(s)