Cyber Resilience

CVE-2025-23563

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0023 46.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23563 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23563 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Explore pages component in the mbyte Explore Pages WordPress plugin. This flaw impacts versions from an unspecified initial release through 1.01, as published on 2025-03-03.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction such as clicking a malicious link (UI:R). Exploitation changes the scope (S:C) and enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/explore-pages/vulnerability/wordpress-explore-pages-plugin-1-01-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress Explore Pages plugin version 1.01 and provides associated mitigation guidance.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mbyte Explore pages explore-pages allows Reflected XSS.This issue affects Explore pages: from n/a through <= 1.01.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables exploitation of the web app over the network via a crafted malicious link requiring user interaction to trigger arbitrary script execution in the browser.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22765Shared CWE-79
CVE-2024-13885Shared CWE-79
CVE-2025-23645Shared CWE-79
CVE-2025-24017Shared CWE-79
CVE-2025-24544Shared CWE-79
CVE-2025-68037Shared CWE-79
CVE-2025-23725Shared CWE-79
CVE-2025-22357Shared CWE-79
CVE-2026-24955Shared CWE-79
CVE-2025-23834Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires identification, reporting, and correction of the specific reflected XSS flaw in the mbyte Explore Pages WordPress plugin through timely patching or workarounds.

prevent

Mandates filtering of information output during web page generation to neutralize malicious scripts reflected from untrusted user input, directly preventing XSS exploitation.

prevent

Enforces validation of inputs at entry points to reject or sanitize malicious payloads targeting the Explore pages, blocking reflected XSS attacks before processing.

References