CVE-2025-23564
Published: 03 March 2025
Summary
CVE-2025-23564 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23564 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WP FixTag WordPress plugin (wp-fixtag) by mohsenshahbazi, impacting all versions from n/a through <= v2.0.2.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Unauthenticated attackers with network access can exploit it through low-complexity attacks requiring user interaction, such as following a malicious link. Exploitation changes the scope and allows low-level impacts on confidentiality, integrity, and availability in the context of the interacting user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-fixtag/vulnerability/wordpress-wp-fixtag-plugin-v2-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve provides additional details on this WordPress plugin vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5716
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mohsenshahbazi WP FixTag wp-fixtag allows Reflected XSS.This issue affects WP FixTag: from n/a through <= v2.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS triggered via malicious link (T1204.001) enabling arbitrary JavaScript execution in browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly mandates validation of information inputs to neutralize malicious payloads like those enabling reflected XSS in the WP FixTag plugin.
SI-15 requires filtering of outputs prior to transmission to prevent reflected XSS by encoding or removing harmful scripts during web page generation.
SI-2 ensures timely remediation of the specific flaw in WP FixTag versions <=2.0.2 through identification, reporting, and patching.