Cyber Posture

CVE-2025-23619

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0035 57.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23619 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious Link (T1204.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of user inputs to prevent improper neutralization leading to reflected XSS injection.

SI-15 Information Output Filtering good match
prevent

Mandates filtering of information outputs to neutralize malicious scripts reflected in web pages, addressing the core XSS execution mechanism.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and correction of flaws like this plugin's XSS vulnerability through patching and remediation processes.

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Reflected XSS is exploited by sending a malicious link (T1204.001) that triggers arbitrary JS execution in the browser; this directly enables session hijacking via cookie theft (T1539) as explicitly noted in the CVE description.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Catch Duplicate Switcher catch-duplicate-switcher allows Reflected XSS.This issue affects Catch Duplicate Switcher: from n/a through <= 2.0.

Deeper analysisAI

CVE-2025-23619 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Catch Duplicate Switcher WordPress plugin developed by Catch Themes. The issue affects the plugin from unspecified initial versions through version 2.0 inclusive. Published on March 3, 2025, it carries a CVSS v3.1 base score of 7.1.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as clicking a malicious link. The changed scope (S:C) enables execution of arbitrary JavaScript in the victim's browser context, resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Potential outcomes include session hijacking, data theft, or phishing within the affected site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/catch-duplicate-switcher/vulnerability/wordpress-catch-duplicate-switcher-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability specific to Catch Duplicate Switcher version 2.0.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2025-23602Shared CWE-79
CVE-2025-26584Shared CWE-79
CVE-2025-26536Shared CWE-79
CVE-2025-23540Shared CWE-79
CVE-2025-23587Shared CWE-79
CVE-2025-23770Shared CWE-79
CVE-2025-23475Shared CWE-79
CVE-2025-24708Shared CWE-79
CVE-2025-12551Shared CWE-79
CVE-2026-23973Shared CWE-79

References