CVE-2025-23616
Published: 03 March 2025
Summary
CVE-2025-23616 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23616 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Canalplan-AC WordPress plugin by Steve Canalplan. This issue affects Canalplan-AC versions from n/a through 5.31 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change despite requiring user interaction.
Attackers can exploit this remotely over the network without authentication or privileges, using low-complexity techniques that require user interaction, such as tricking a victim into visiting a maliciously crafted URL on a vulnerable site. Successful exploitation enables reflected XSS, where attacker-controlled input is improperly reflected in the web page, allowing script injection. This yields low impacts on confidentiality (e.g., limited data exposure), integrity (e.g., minor tampering), and availability, but the changed scope (S:C) amplifies potential effects in cross-origin contexts.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/canalplan-ac/vulnerability/wordpress-canalplan-plugin-5-31-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents this reflected XSS vulnerability in the Canalplan-AC WordPress plugin at version 5.31, serving as a key reference for mitigation details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5688
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Canalplan canalplan-ac allows Reflected XSS.This issue affects Canalplan: from n/a through <= 5.31.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via crafted URLs and facilitates arbitrary JavaScript execution through script injection (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs before web page generation, directly preventing reflected XSS by neutralizing malicious input reflections like in Canalplan-AC.
SI-10 enforces validation of all inputs to the system, blocking malicious XSS payloads from being processed and reflected in responses.
SI-2 mandates identification and timely remediation of flaws, such as patching the Canalplan-AC plugin vulnerability up to version 5.31.