CVE-2025-23637
Published: 03 March 2025
Summary
CVE-2025-23637 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-23637 by requiring timely remediation of the reflected XSS flaw through patching the vulnerable wp-xintaoke WordPress plugin to version beyond 1.1.2.
Prevents reflected XSS exploitation in the plugin by filtering malicious inputs prior to output on web pages, blocking executable scripts from reaching the victim's browser.
Addresses the improper neutralization of input in the plugin by validating all user-supplied data to reject XSS payloads before reflection during web page generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing application) and T1203 (exploitation for client execution via malicious links).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fxy060608 新淘客WordPress插件 wp-xintaoke allows Reflected XSS.This issue affects 新淘客WordPress插件: from n/a through <= 1.1.2.
Deeper analysisAI
CVE-2025-23637 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin 新淘客WordPress插件 (wp-xintaoke) by fxy060608. This issue affects the plugin from unknown initial versions through 1.1.2, as published on 2025-03-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
A remote attacker requires no privileges and can exploit this over the network with low attack complexity by tricking an authenticated or unauthenticated site user into interacting with a maliciously crafted link or input that reflects executable script back in the browser. Successful exploitation changes the security scope, enabling limited impacts on confidentiality, integrity, and availability, such as potential session hijacking, data exfiltration from the victim's browser context, or site defacement visible to the user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-xintaoke/vulnerability/wordpress-wordpress-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in wp-xintaoke version 1.1.2 and serves as a primary reference for affected installations. Practitioners should consult this and monitor for vendor patches or updates to versions beyond 1.1.2, alongside standard XSS mitigations like input sanitization and Content Security Policy enforcement.
Details
- CWE(s)