CVE-2025-23541
Published: 23 January 2025
Summary
CVE-2025-23541 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23541 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin "Download, Downloads" (ydn-download) by edmon.parker. This issue affects all versions of the plugin from n/a through 1.4.2 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input reflected in web pages, such as via specially crafted links or requests.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ydn-download/vulnerability/wordpress-download-downloads-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve documents this XSS vulnerability in the WordPress Download & Downloads plugin version 1.4.2 and provides relevant mitigation details for affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3239
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in edmon.parker Download, Downloads ydn-download allows Reflected XSS.This issue affects Download, Downloads : from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application via crafted links/requests requiring user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates reflected XSS by filtering malicious scripts and untrusted content from web page output before rendering.
Prevents injection of malicious payloads by validating and sanitizing user inputs at entry points in the WordPress plugin.
Addresses the specific flaw in the ydn-download plugin versions <=1.4.2 by requiring timely identification, reporting, and patching.