Cyber Resilience

CVE-2025-23447

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0023 46.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23447 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23447 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Smooth Dynamic Slider WordPress plugin developed by Kundan Yevale. The issue impacts all versions of the plugin from n/a through 1.0 inclusive, allowing malicious input to be reflected without proper sanitization during web page generation.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and user interaction, such as tricking a victim into visiting a maliciously crafted URL. Successful exploitation enables reflected XSS, where injected scripts execute in the victim's browser context with changed scope, potentially compromising low levels of confidentiality, integrity, and availability, such as session hijacking or data theft from the affected user.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/smooth-dynamic-slider/vulnerability/wordpress-smooth-dynamic-slider-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kundan Yevale Smooth Dynamic Slider smooth-dynamic-slider allows Reflected XSS.This issue affects Smooth Dynamic Slider: from n/a through <= 1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS via crafted URL enables delivery through spearphishing links (T1566.002) requiring user execution of malicious link (T1204.001), with JavaScript payload execution (T1059.007) leading to web session cookie theft (T1539) for hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33135Shared CWE-79
CVE-2026-25342Shared CWE-79
CVE-2026-24751Shared CWE-79
CVE-2026-23973Shared CWE-79
CVE-2025-67947Shared CWE-79
CVE-2025-23494Shared CWE-79
CVE-2025-23635Shared CWE-79
CVE-2025-68846Shared CWE-79
CVE-2025-22330Shared CWE-79
CVE-2025-26991Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user inputs to prevent improper neutralization of malicious scripts in reflected XSS attacks.

prevent

Mandates filtering of information outputs during web page generation to block execution of injected scripts in victims' browsers.

prevent

Ensures timely identification, reporting, and patching of the specific flaw in the Smooth Dynamic Slider WordPress plugin.

References