Cyber Posture

CVE-2025-23523

High

Published: 14 February 2025

Published
14 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 29.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23523 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediating the specific reflected XSS flaw in the HSS Embed Streaming Video WordPress plugin up to version 3.23 directly eliminates the vulnerability.

SI-15 Information Output Filtering good match
prevent

Filtering information outputs during web page generation ensures proper neutralization of untrusted input, preventing reflected XSS execution in the victim's browser.

SI-10 Information Input Validation good match
prevent

Validating inputs to the plugin prevents malicious payloads from being accepted and reflected in generated web pages.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
Why these techniques?

Reflected XSS vulnerability directly enables arbitrary JavaScript execution in the victim's browser (T1059.007) and is exploited via a maliciously crafted link requiring user interaction, facilitating spearphishing link delivery (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoststreamsell HSS Embed Streaming Video hss-embed-streaming-video allows Reflected XSS.This issue affects HSS Embed Streaming Video: from n/a through <= 3.23.

Deeper analysisAI

CVE-2025-23523 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS, CWE-79), in the hoststreamsell HSS Embed Streaming Video WordPress plugin (hss-embed-streaming-video). The issue affects all versions from n/a through 3.23 inclusive, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

A remote attacker can exploit this vulnerability over the network with low attack complexity and no privileges required, though it necessitates user interaction such as visiting a maliciously crafted link or page. Exploitation changes the scope of impact, enabling limited effects on confidentiality, integrity, and availability, typically through execution of arbitrary JavaScript in the context of the victim's browser session.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/hss-embed-streaming-video/vulnerability/wordpress-hss-embed-streaming-video-plugin-3-23-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in the HSS Embed Streaming Video WordPress plugin up to version 3.23.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2026-32517Shared CWE-79
CVE-2025-23889Shared CWE-79
CVE-2025-23432Shared CWE-79
CVE-2025-26554Shared CWE-79
CVE-2025-23521Shared CWE-79
CVE-2024-56296Shared CWE-79
CVE-2025-23544Shared CWE-79
CVE-2025-23536Shared CWE-79
CVE-2025-23575Shared CWE-79
CVE-2025-23742Shared CWE-79

References