Cyber Resilience

CVE-2025-23522

High

Published: 24 January 2025

Published
24 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 32.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23522 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Portal Capture (T1056.003); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-23522 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the HM Portfolio WordPress plugin developed by Matthew Haines-Young. This issue affects the hm-portfolio plugin in all versions from n/a through 1.1.1 inclusive. The vulnerability was published on 2025-01-24.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with a changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by crafting malicious inputs that reflect back to users via the web page, enabling script execution in the victim's browser context.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/hm-portfolio/vulnerability/wordpress-hm-portfolio-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in the WordPress HM Portfolio plugin version 1.1.1, providing details relevant to mitigation for affected deployments.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew Haines-Young HM Portfolio hm-portfolio allows Reflected XSS.This issue affects HM Portfolio: from n/a through <= 1.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1056.003 Web Portal Capture Collection
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

The reflected cross-site scripting vulnerability allows attackers to execute arbitrary JavaScript in the victim's browser context, which directly facilitates capturing inputs from web portals and hijacking browser sessions.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25083Shared CWE-79
CVE-2025-0599Shared CWE-79
CVE-2025-23657Shared CWE-79
CVE-2025-24615Shared CWE-79
CVE-2026-42733Shared CWE-79
CVE-2026-28122Shared CWE-79
CVE-2026-24750Shared CWE-79
CVE-2025-7799Shared CWE-79
CVE-2026-1454Shared CWE-79
CVE-2026-4107Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of software flaws like this reflected XSS vulnerability in the HM Portfolio WordPress plugin.

prevent

SI-15 mandates filtering of information output in web pages, directly preventing malicious script reflection and execution in victims' browsers.

prevent

SI-10 enforces validation of user inputs to the web application, reducing the risk of malicious payloads reaching the page generation process.

References