CVE-2025-23582
Published: 03 February 2025
Summary
CVE-2025-23582 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23582 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the WordPress plugin Bulk Categories Assign (slug: bulk-categories-assign) developed by Haider Ali, impacting all versions from n/a through 1.0 inclusive. The vulnerability was published on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low attack complexity, though it demands user interaction such as clicking a malicious link. Successful exploitation enables limited impacts on confidentiality, integrity, and availability within a changed scope, typically allowing execution of arbitrary scripts in the victim's browser context.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/bulk-categories-assign/vulnerability/wordpress-bulk-categories-assign-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, document the issue and provide further details for practitioners.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3263
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Haider Ali Bulk Categories Assign bulk-categories-assign allows Reflected XSS.This issue affects Bulk Categories Assign: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of the web application over the network (T1190) via crafted malicious links requiring user click to trigger arbitrary browser script execution (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents reflected XSS by enforcing validation of user inputs to neutralize malicious scripts before web page generation.
SI-15 comprehensively mitigates reflected XSS through output filtering that encodes or sanitizes reflected inputs in web responses.
SI-2 addresses the specific flaw in the Bulk Categories Assign plugin by requiring timely identification, reporting, and remediation of the XSS vulnerability.