CVE-2025-23450
Published: 03 March 2025
Summary
CVE-2025-23450 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23450, published on 2025-03-03, is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the AW WooCommerce Kode Pembayaran WordPress plugin (aw-woocommerce-kode-pembayaran), impacting all versions from n/a through 1.1.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers with no required privileges can exploit it over the network with low attack complexity, though it requires user interaction, such as visiting a maliciously crafted URL. Exploitation allows arbitrary script execution in the context of the victim's browser, resulting in low impacts to confidentiality, integrity, and availability, with a changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/aw-woocommerce-kode-pembayaran/vulnerability/wordpress-aw-woocommerce-kode-pembayaran-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the issue in the AW WooCommerce Kode Pembayaran plugin version 1.1.4 and earlier.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5761
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agenwebsite AW WooCommerce Kode Pembayaran aw-woocommerce-kode-pembayaran allows Reflected XSS.This issue affects AW WooCommerce Kode Pembayaran: from n/a through <= 1.1.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of web apps for initial access (T1190) and arbitrary JavaScript execution in browser via crafted URL (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses reflected XSS by filtering and encoding information output during web page generation to neutralize malicious scripts.
Validates inputs such as malicious URLs to prevent untrusted data from being reflected in web pages without neutralization.
Remediates the specific improper neutralization flaw in the AW WooCommerce Kode Pembayaran plugin through timely patching of vulnerable versions up to 1.1.4.