CVE-2025-23494
Published: 03 March 2025
Summary
CVE-2025-23494 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires filtering of web page outputs to neutralize untrusted input reflected without sanitization, preventing reflected XSS execution.
Mandates validation of user inputs to block malicious payloads before they are reflected in page generation, addressing the core neutralization failure.
Ensures flaws like this improper input neutralization in the Quizzin plugin are identified, reported, and remediated via patching within defined timeframes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS allows crafting malicious links that execute JavaScript in the victim's browser upon interaction, directly mapping to spearphishing links for delivery, malicious link user execution, and JavaScript scripting.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in binnyva Quizzin quizzin allows Reflected XSS.This issue affects Quizzin: from n/a through <= 1.01.4.
Deeper analysisAI
CVE-2025-23494 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Quizzin WordPress plugin developed by binnyva. This issue affects Quizzin versions from n/a through 1.01.4, allowing malicious input to be reflected in web page generation without proper neutralization.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed for exploitation. An attacker can craft a malicious link or input that, when interacted with by a victim (such as clicking or submitting), executes scripts in the victim's browser context. This enables limited impacts on confidentiality, integrity, and availability, with a changed scope that could affect other users or site resources.
The Patchstack advisory documents this Reflected XSS vulnerability in the WordPress Quizzin plugin up to version 1.01.4, providing details for security practitioners to review for mitigation steps such as applying available patches or updates.
Details
- CWE(s)