CVE-2025-23657
Published: 14 February 2025
Summary
CVE-2025-23657 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23657 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the RusAlex WordPress-to-candidate for Salesforce CRM plugin (salesforce-wordpress-to-candidate). This issue impacts all versions from n/a through 1.0.1 and was published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Any unauthenticated attacker can deliver malicious input that reflects back to victims, potentially executing scripts in their browsers within the context of the affected site and changing the scope of impact to achieve low-level effects on confidentiality, integrity, and availability.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/salesforce-wordpress-to-candidate/vulnerability/wordpress-wordpress-to-candidate-for-salesforce-crm-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS vulnerability in WordPress-to-candidate for Salesforce CRM plugin version 1.0.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3321
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RusAlex WordPress-to-candidate for Salesforce CRM salesforce-wordpress-to-candidate allows Reflected XSS.This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through <= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS directly enables execution of arbitrary JavaScript in the victim's browser context, facilitating browser session hijacking (e.g., stealing cookies/tokens) and web portal capture (e.g., form input/keylogging).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs to prevent reflected XSS by ensuring malicious input is neutralized before web page generation in the WordPress plugin.
SI-10 enforces validation of untrusted inputs, directly mitigating the improper neutralization vulnerability that allows unauthenticated attackers to inject scripts via the salesforce-wordpress-to-candidate plugin.
SI-2 mandates identification and correction of flaws like this reflected XSS in the plugin, preventing exploitation through timely patching.