CVE-2025-23543
Published: 26 March 2025
Summary
CVE-2025-23543 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23543 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the fomopay FOMO Pay Chinese Payment Solution plugin (fomo-payment-gateway-for-woocommerce) for WordPress. The issue affects all versions from n/a through 2.0.4, allowing attackers to inject malicious scripts into web pages viewed by other users.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low attack complexity by tricking authenticated users into performing actions such as visiting a maliciously crafted URL. Exploitation leads to limited impacts on confidentiality, integrity, and availability within a changed security scope, such as session hijacking or data exfiltration from the victim's browser.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fomo-payment-gateway-for-woocommerce/vulnerability/wordpress-fomo-pay-chinese-payment-solution-plugin-2-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8195
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fomopay FOMO Pay Chinese Payment Solution fomo-payment-gateway-for-woocommerce allows Reflected XSS.This issue affects FOMO Pay Chinese Payment Solution: from n/a through <= 2.0.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables crafted malicious URLs that execute scripts in victims' browsers upon visit (T1189 Drive-by Compromise and T1204.001 Malicious Link), directly facilitating session hijacking via cookie theft (T1539 Steal Web Session Cookie) as described.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly prevents reflected XSS by requiring filtering and encoding of information prior to output on web pages, addressing the improper neutralization in the vulnerable WordPress plugin.
SI-10 enforces validation of user inputs to block malicious scripts from being processed, mitigating the root cause of improper input neutralization leading to XSS.
SI-2 ensures timely remediation of known flaws like this reflected XSS vulnerability through patching the affected fomo-payment-gateway-for-woocommerce plugin versions up to 2.0.4.