CVE-2025-23432
Published: 16 January 2025
Summary
CVE-2025-23432 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering information prior to output to web pages to prevent cross-site scripting attacks, directly mitigating the reflected XSS vulnerability by neutralizing malicious scripts during web page generation in the AlT Report plugin.
SI-10 mandates information input validation at critical entry points, addressing the improper neutralization of input that allows crafted malicious payloads to be reflected unsanitized in the AlT Report plugin.
SI-2 ensures flaws like this reflected XSS vulnerability in the AlT Report plugin are identified, reported, and remediated through timely patching to versions beyond 1.12.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser (T1059.007) and is typically exploited by delivering the payload via a crafted phishing link that the user is tricked into clicking (T1566.002).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlTi5 AlT Report alt-report allows Reflected XSS.This issue affects AlT Report: from n/a through <= 1.12.0.
Deeper analysisAI
CVE-2025-23432 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the AlT Report WordPress plugin (alt-report) developed by AlTi5. The issue impacts all versions from unknown initial release through 1.12.0. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and changed scope.
A remote attacker without authentication can exploit this vulnerability by crafting malicious input that is reflected in dynamically generated web pages. This requires tricking a user, such as an authenticated WordPress administrator, into interacting with the payload, typically via a phishing link or malicious website. Successful exploitation enables script execution in the victim's browser context, potentially leading to low-impact theft of sensitive data like session cookies, low integrity modifications such as defacement, and low availability disruptions, with the changed scope allowing effects beyond the vulnerable component.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/alt-report/vulnerability/wordpress-alt-report-plugin-1-12-0-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, recommending mitigation through updating to a patched version beyond 1.12.0 where available. Security practitioners should verify plugin updates and apply input sanitization as interim measures.
Details
- CWE(s)