CVE-2025-23553
Published: 03 March 2025
Summary
CVE-2025-23553 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates reflected XSS by filtering information outputs during web page generation to neutralize malicious scripts.
Enforces validation of reflected inputs like URLs to prevent injection and processing of XSS payloads.
Requires timely flaw remediation to patch the specific XSS vulnerability in the Userbase Access Control plugin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser via malicious URL payloads (T1059.007) and directly facilitates browser session hijacking or data theft as noted in the impacts (T1185).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Cramer Userbase Access Control userbase-access-control allows Reflected XSS.This issue affects Userbase Access Control: from n/a through <= 1.0.
Deeper analysisAI
CVE-2025-23553 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Userbase Access Control WordPress plugin developed by David Cramer. The plugin, known as userbase-access-control, is vulnerable in all versions up to and including 1.0, allowing attackers to inject malicious scripts into web pages generated by the plugin.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low complexity, no privileges required, but user interaction is needed. Remote unauthenticated attackers can craft malicious payloads delivered via reflected inputs, such as URLs, tricking victims into interacting with them (e.g., clicking a link). Successful exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or data theft.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/userbase-access-control/vulnerability/wordpress-userbase-access-control-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the vulnerability, including assessment and recommended mitigations for WordPress site administrators.
Details
- CWE(s)