Cyber Resilience

CVE-2025-23666

High

Published: 26 March 2025

Published
26 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0018 40.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23666 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23666 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the Management-screen-droptiles component of the cxc-sawa software. This issue impacts all versions from n/a through 1.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability by crafting malicious input that reflects unsanitized in web page generation, tricking users—typically those with access to the management screen, such as administrators—into interacting via a malicious link or page. Successful exploitation executes arbitrary JavaScript in the victim's browser context, potentially allowing session hijacking, data theft, or minor disruptions, though impacts remain low due to scope change and interaction requirements.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cxc-sawa/vulnerability/wordpress-management-screen-droptiles-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which covers the WordPress plugin context and vulnerability specifics.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cxc-sawa Management-screen-droptiles cxc-sawa allows Reflected XSS.This issue affects Management-screen-droptiles: from n/a through <= 1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS enables arbitrary JavaScript execution in the browser (T1203 Exploitation for Client Execution) and directly facilitates session hijacking (T1185) and stealing web session cookies (T1539) as explicitly noted in the vulnerability impacts and attack vector via malicious links.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34989Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2026-46367Shared CWE-79
CVE-2025-25102Shared CWE-79
CVE-2025-26918Shared CWE-79
CVE-2025-67923Shared CWE-79
CVE-2026-27655Shared CWE-79
CVE-2026-30919Shared CWE-79
CVE-2025-23883Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering of information outputs to neutralize malicious scripts, directly addressing the improper neutralization of input during web page generation that enables reflected XSS.

prevent

SI-10 enforces validation of inputs to reject or sanitize malicious payloads, preventing crafted inputs from being reflected as executable JavaScript in the management screen.

prevent

SI-2 mandates identification, reporting, and correction of system flaws like this CVE, ensuring timely patching of the vulnerable Management-screen-droptiles component.

References