Cyber Resilience

CVE-2025-23526

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0021 42.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23526 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Swiftcloud Swift Calendar Online Appointment Scheduling. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23526 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Swift Calendar Online Appointment Scheduling WordPress plugin (online-appointment-scheduling-software). This issue affects all versions from n/a through 1.3.3, as published on 2025-03-03.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by injecting malicious payloads into web pages generated by the plugin, tricking victims into executing arbitrary scripts in their browser context with changed scope, potentially compromising low levels of confidentiality, integrity, and availability.

The Patchstack advisory provides further details on this WordPress plugin vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/online-appointment-scheduling-software/vulnerability/wordpress-swift-calendar-online-appointment-scheduling-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SwiftCloud Swift Calendar Online Appointment Scheduling online-appointment-scheduling-software allows Reflected XSS.This issue affects Swift Calendar Online Appointment Scheduling: from n/a through <= 1.3.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CVE describes a reflected XSS vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190) and allowing execution of arbitrary JavaScript in the victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

swiftcloud
swift calendar online appointment scheduling
≤ 1.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper neutralization of input by requiring validation of user inputs to prevent injection of malicious scripts in reflected XSS attacks.

prevent

Addresses the core issue of unfiltered output during web page generation by enforcing filtering to block execution of injected scripts in the victim's browser.

prevent

Ensures timely identification, reporting, and correction of the specific software flaw in the WordPress plugin that enables the reflected XSS vulnerability.

References