CVE-2025-23670
Published: 03 March 2025
Summary
CVE-2025-23670 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23670 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin "4-author-cheer-up-donate" by montashov. This issue impacts all versions of the plugin from n/a through 1.3 inclusive, as published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can exploit it by tricking users, such as site administrators, into interacting with maliciously crafted links or inputs reflected in web pages generated by the plugin. Successful exploitation enables arbitrary JavaScript execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability, such as session hijacking or data theft.
Patchstack has documented the vulnerability, including details on the affected WordPress plugin version 1.3, with advisories available at https://patchstack.com/database/Wordpress/Plugin/4-author-cheer-up-donate/vulnerability/wordpress-4-author-cheer-up-donate-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available or disable the plugin on affected sites.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5703
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in montashov 4 author cheer up donate 4-author-cheer-up-donate allows Reflected XSS.This issue affects 4 author cheer up donate: from n/a through <= 1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in browser (T1059.007) via crafted links.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly addresses improper neutralization during web page generation by requiring output filtering to prevent reflected XSS execution in the victim's browser.
SI-10 requires input validation to reject or sanitize malicious payloads that could be reflected by the vulnerable WordPress plugin.
SI-2 mandates timely flaw remediation, such as patching the WordPress plugin version <=1.3 to fix the XSS vulnerability.