CVE-2025-23454
Published: 21 January 2025
Summary
CVE-2025-23454 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23454 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the flashmaniac Nature FlipBook WordPress plugin (vertical-diamond-flipbook-flash). This issue affects all versions of the plugin from n/a through 1.7 inclusive. The vulnerability was published on 2025-01-21 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link. Exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability. In practice, this allows reflected XSS payloads to execute in the victim's browser context, potentially leading to session hijacking, data theft, or other client-side attacks against authenticated users.
The Patchstack advisory documents this Reflected XSS vulnerability specifically in Nature FlipBook WordPress plugin version 1.7 and provides vulnerability details for the vertical-diamond-flipbook-flash component. Security practitioners should review the advisory at https://patchstack.com/database/Wordpress/Plugin/vertical-diamond-flipbook-flash/vulnerability/wordpress-nature-flipbook-wordpress-plugin-plugin-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for mitigation recommendations, such as plugin updates or configuration changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3190
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flashmaniac Nature FlipBook vertical-diamond-flipbook-flash allows Reflected XSS.This issue affects Nature FlipBook: from n/a through <= 1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and allows arbitrary JavaScript execution in the victim's browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs, directly preventing reflected XSS by neutralizing malicious scripts before they are rendered in the victim's browser.
SI-10 enforces validation of information inputs, blocking XSS payloads at the point of entry to the Nature FlipBook WordPress plugin.
SI-2 mandates identification and remediation of system flaws, such as patching the vulnerable vertical-diamond-flipbook-flash plugin up to version 1.7.