Cyber Resilience

CVE-2025-23531

High

Published: 27 January 2025

Published
27 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0008 23.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23531 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23531 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the RSVPMaker Volunteer Roles WordPress plugin (rsvpmaker-volunteer-roles) developed by davidfcarr. This issue affects all versions of the plugin from unknown initial release through 1.5.1.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by crafting payloads reflected in web pages, achieving low impacts on confidentiality, integrity, and availability within a changed scope, potentially allowing session hijacking or script execution in victims' browsers.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/rsvpmaker-volunteer-roles/vulnerability/wordpress-rsvpmaker-volunteer-roles-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS in RSVPMaker Volunteer Roles up to version 1.5.1, with mitigation centered on updating to a patched version of the plugin.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidfcarr RSVPMaker Volunteer Roles rsvpmaker-volunteer-roles allows Reflected XSS.This issue affects RSVPMaker Volunteer Roles: from n/a through <= 1.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS directly enables arbitrary JavaScript execution in the victim's browser (T1059.007) and session hijacking via cookie theft or script injection (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27279Shared CWE-79
CVE-2025-24541Shared CWE-79
CVE-2024-56036Shared CWE-79
CVE-2016-20032Shared CWE-79
CVE-2025-1401Shared CWE-79
CVE-2025-24416Shared CWE-79
CVE-2026-34566Shared CWE-79
CVE-2026-24744Shared CWE-79
CVE-2025-40899Shared CWE-79
CVE-2025-22598Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 Flaw Remediation directly addresses this CVE by requiring identification, reporting, and patching of the reflected XSS vulnerability in the RSVPMaker Volunteer Roles plugin.

prevent

SI-15 Information Output Filtering mitigates reflected XSS by ensuring malicious payloads reflected during web page generation are filtered and not executed in users' browsers.

prevent

SI-10 Information Input Validation prevents the improper neutralization of input by validating and sanitizing user-supplied data before web page generation in the plugin.

References