CVE-2025-23585
Published: 03 March 2025
Summary
CVE-2025-23585 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23585 is an improper neutralization of input during web page generation vulnerability, specifically a reflected cross-site scripting (XSS) issue classified under CWE-79, in the CantonBolo Goo.gl Url Shorter WordPress plugin (googl-url-shorter). This flaw affects all versions of the plugin from n/a through 1.0.1.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low complexity, no required privileges, and user interaction. A remote unauthenticated attacker can craft a malicious URL containing an XSS payload and trick a targeted user, such as an authenticated WordPress administrator, into visiting it. Upon execution in the victim's browser, the attacker can achieve low impacts on confidentiality, integrity, and availability within a changed scope, potentially leading to theft of session cookies, account takeover, or further site compromise.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/googl-url-shorter/vulnerability/wordpress-goo-gl-url-shorter-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5726
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo Goo.gl Url Shorter googl-url-shorter allows Reflected XSS.This issue affects Goo.gl Url Shorter: from n/a through <= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable web app over network) and T1059.007 (arbitrary JavaScript execution in victim's browser via crafted URL).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters improper neutralization of input by enforcing validation of user-supplied data like malicious URLs to block XSS payloads.
Prevents reflected XSS by filtering and encoding information outputs during web page generation to neutralize script injection.
Requires identification, reporting, and correction of the specific XSS flaw in the Goo.gl Url Shorter plugin to eliminate the vulnerability.