CVE-2025-23438
Published: 16 January 2025
Summary
CVE-2025-23438 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of inputs to prevent malicious script injection in reflected XSS vulnerabilities like this one in WP PT-Viewer.
Mandates filtering and neutralization of outputs during web page generation to block reflected malicious payloads from executing in victims' browsers.
Ensures timely identification, reporting, and remediation of flaws such as this improper input neutralization in the WP PT-Viewer plugin up to version 2.0.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app via crafted input) and T1203 (arbitrary client-side script execution in browser).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Mimoun-Prat WP PT-Viewer wp-ptviewer allows Reflected XSS.This issue affects WP PT-Viewer: from n/a through <= 2.0.2.
Deeper analysisAI
CVE-2025-23438 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WP PT-Viewer WordPress plugin developed by Vincent Mimoun-Prat. The issue impacts all versions of the plugin from n/a through 2.0.2 inclusive. It has a CVSS v3.1 base score of 7.1, reflecting a high-severity rating due to its network accessibility, low complexity, lack of required privileges, user interaction dependency, and scope change with low impacts on confidentiality, integrity, and availability.
A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious input that is reflected in the generated web page without proper neutralization. The attack requires a victim user, such as a site visitor or administrator, to interact with the malicious payload, typically via a phishing link or similar vector. Successful exploitation allows the attacker to execute arbitrary scripts in the victim's browser context, potentially leading to session hijacking, data theft, or further site compromise within the changed scope.
Patchstack has published an advisory detailing the vulnerability at https://patchstack.com/database/Wordpress/Plugin/wp-ptviewer/vulnerability/wordpress-wp-pt-viewer-plugin-2-0-2-reflected-xss-vulnerability?_s_id=cve, which security practitioners should consult for specific mitigation guidance, such as updating to a patched version if available or applying workarounds.
Details
- CWE(s)