CVE-2025-23431
Published: 14 February 2025
Summary
CVE-2025-23431 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23431, published on 2025-02-14, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Envato Affiliater WordPress plugin by khaninejad (envato-affiliater). It affects all versions of the plugin from n/a through 1.2.4 inclusive, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, though it requires user interaction such as visiting a maliciously crafted URL. Exploitation reflects attacker-controlled input into web pages without proper neutralization, enabling execution of arbitrary JavaScript in the victim's browser context. This can result in limited impacts to confidentiality, integrity, and availability, particularly with the changed scope allowing potential cross-origin effects like session hijacking or data exfiltration from authenticated users.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/envato-affiliater/vulnerability/wordpress-envato-affiliater-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the issue specifically in Envato Affiliater plugin version 1.2.4 for WordPress. Practitioners should review this reference for detailed mitigation steps, such as plugin updates if available or temporary disabling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3178
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in khaninejad Envato Affiliater envato-affiliater allows Reflected XSS.This issue affects Envato Affiliater: from n/a through <= 1.2.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and facilitates browser session hijacking via arbitrary JavaScript execution in victim context (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly enforces validation of untrusted inputs like malicious URLs, preventing the improper neutralization that enables reflected XSS in the Envato Affiliater plugin.
SI-15 requires filtering of information outputs during web page generation, blocking execution of reflected attacker-controlled JavaScript in victims' browsers.
SI-2 mandates identification and remediation of flaws like this plugin vulnerability through timely patching or disabling.