CVE-2025-23565
Published: 03 March 2025
Summary
CVE-2025-23565 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23565 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Wibstats WordPress plugin (wibstats-statistics-for-wordpress-mu) by Chris Taylor, impacting all versions from n/a through 0.5.5 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Remote attackers require no privileges and can exploit it over the network with low attack complexity, though user interaction is needed, such as a victim clicking a malicious link or visiting a crafted page. Exploitation allows script execution in the victim's browser context, potentially leading to low-level impacts on confidentiality (e.g., session theft), integrity (e.g., data tampering), and availability, with the attack scope expanding beyond the vulnerable component.
The Patchstack advisory provides details on this vulnerability, including mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/wibstats-statistics-for-wordpress-mu/vulnerability/wordpress-wibstats-plugin-0-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5714
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Taylor Wibstats wibstats-statistics-for-wordpress-mu allows Reflected XSS.This issue affects Wibstats: from n/a through <= 0.5.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing WordPress plugin directly enables exploitation of the web application (T1190) to execute arbitrary JavaScript in the victim's browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents reflected XSS by filtering malicious scripts from untrusted information outputs during web page generation in the Wibstats plugin.
Validates and sanitizes user inputs to block injection of malicious payloads that could be reflected as executable scripts in web pages.
Remediates the specific XSS flaw in Wibstats plugin versions <=0.5.5 by identifying, patching, and verifying corrections.