CVE-2025-23666
Published: 26 March 2025
Summary
CVE-2025-23666 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23666 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Management-screen-droptiles component of the cxc-sawa software. This issue impacts all versions from n/a through 1.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.
Remote attackers without privileges can exploit this vulnerability by crafting malicious input that reflects unsanitized in web page generation, tricking users—typically those with access to the management screen, such as administrators—into interacting via a malicious link or page. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially allowing session hijacking, data theft, or minor disruptions, though impacts remain low due to scope change and interaction requirements.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cxc-sawa/vulnerability/wordpress-management-screen-droptiles-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the WordPress plugin context and vulnerability specifics.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8189
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cxc-sawa Management-screen-droptiles cxc-sawa allows Reflected XSS.This issue affects Management-screen-droptiles: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the browser (T1203 Exploitation for Client Execution) and directly facilitates session hijacking (T1185) and stealing web session cookies (T1539) as explicitly noted in the vulnerability impacts and attack vector via malicious links.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs to neutralize malicious scripts, directly addressing the improper neutralization of input during web page generation that enables reflected XSS.
SI-10 enforces validation of inputs to reject or sanitize malicious payloads, preventing crafted inputs from being reflected as executable JavaScript in the management screen.
SI-2 mandates identification, reporting, and correction of system flaws like this CVE, ensuring timely patching of the vulnerable Management-screen-droptiles component.