CVE-2025-23491

High

Published: 03 February 2025

Published

03 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0006 17.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23491 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this reflected XSS vulnerability in the VSTEMPLATE Creator plugin, directly preventing exploitation through patching.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates filtering of information outputs to neutralize malicious scripts reflected in web pages, comprehensively addressing reflected XSS attacks.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of inputs to detect and reject malicious payloads before they are reflected unneutralized in web page generation.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Reflected XSS enables script injection via malicious links (T1566.002, T1204.001), JavaScript execution in browser (T1059.007), and session hijacking/data theft (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikash Srivastava VSTEMPLATE Creator vstemplate-creator allows Reflected XSS.This issue affects VSTEMPLATE Creator: from n/a through <= 2.0.2.

Deeper analysisAI

CVE-2025-23491, published on 2025-02-03, is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in Vikash Srivastava's VSTEMPLATE Creator WordPress plugin (vstemplate-creator). The issue affects all versions from n/a through 2.0.2. It carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability by crafting malicious inputs that are reflected back in web pages without proper neutralization, tricking users into interacting via phishing links or similar lures. No authentication is required, enabling unauthenticated attackers to target any site running the vulnerable plugin. Successful exploitation allows script injection in the victim's browser context, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of the user, with the changed scope amplifying effects to site users or resources.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/vstemplate-creator/vulnerability/wordpress-vstemplate-creator-plugin-2-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS vulnerability in the VSTEMPLATE Creator WordPress plugin up to version 2.0.2.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2026-33135Shared CWE-79

CVE-2025-68846Shared CWE-79

CVE-2026-25352Shared CWE-79

CVE-2025-1487Shared CWE-79

CVE-2025-22330Shared CWE-79

CVE-2025-23651Shared CWE-79

CVE-2025-24535Shared CWE-79

CVE-2025-25113Shared CWE-79

CVE-2025-67971Shared CWE-79

CVE-2025-23635Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/vstemplate-creator/vulnerability/wordpress-vstemplate-creator-plugin-2-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com