CVE-2025-23505
Published: 03 March 2025
Summary
CVE-2025-23505 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23505 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Pit Login Welcome WordPress plugin (pit-login-welcome). This issue impacts all versions from n/a through 1.1.5, as disclosed on March 3, 2025, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by tricking an authenticated user into performing an action, such as clicking a malicious link. Exploitation changes the scope and enables execution of arbitrary scripts in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability.
Mitigation guidance and additional details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/pit-login-welcome/vulnerability/wordpress-pit-login-welcome-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5747
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantho Bihosh Pit Login Welcome pit-login-welcome allows Reflected XSS.This issue affects Pit Login Welcome: from n/a through <= 1.1.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and execution of arbitrary JavaScript in the victim's browser via a malicious link (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 mandates information output filtering, directly addressing the improper neutralization of input during web page generation that enables reflected XSS in the Pit Login Welcome plugin.
SI-10 requires input validation to sanitize or reject malicious payloads before they are reflected back in web responses, preventing XSS exploitation.
SI-2 ensures timely flaw remediation by patching the specific XSS vulnerability in Pit Login Welcome versions through 1.1.5.