CVE-2025-23625
Published: 22 January 2025
Summary
CVE-2025-23625 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23625 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-site Scripting (XSS) as classified under CWE-79. It affects the Unique UX WordPress plugin developed by awcode, impacting versions from n/a through 0.9.2 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Remote attackers require no privileges and can exploit it over the network with low complexity by tricking users into interacting, such as via a malicious link. Successful exploitation enables limited impacts on confidentiality, integrity, and availability in a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/unique-ux/vulnerability/wordpress-unique-ux-plugin-0-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in Unique UX plugin version 0.9.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3294
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awcode Unique UX unique-ux allows Reflected XSS.This issue affects Unique UX: from n/a through <= 0.9.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of web application vulnerabilities (T1190) and arbitrary JavaScript execution in victim browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses reflected XSS by filtering web page outputs to neutralize untrusted input before rendering, preventing script injection in the Unique UX plugin.
Validates inputs to the Unique UX plugin to reject or sanitize malicious payloads that could be reflected as executable scripts.
Requires timely patching of the specific improper neutralization flaw in Unique UX versions through 0.9.2 to eliminate the XSS vulnerability.