CVE-2025-23688
Published: 03 March 2025
Summary
CVE-2025-23688 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23688 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the Cobwebo URL Plugin (cobwebo-url) developed by editionskezzal for WordPress. The issue impacts all versions of the plugin from n/a through 1.0 inclusive. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, user interaction requirement, and scope change.
Attackers can exploit this vulnerability by crafting a malicious URL that incorporates reflected input, tricking authenticated or unauthenticated users into clicking or visiting it via social engineering, such as phishing emails or malicious links on external sites. No special privileges are needed (PR:N), and exploitation occurs over the network (AV:N) with low complexity (AC:L) but requires user interaction (UI:R). Successful exploitation executes arbitrary JavaScript in the victim's browser within the context of the WordPress site due to the changed scope (S:C), potentially leading to low-level impacts on confidentiality (e.g., session token theft), integrity (e.g., data tampering), and availability (e.g., denial of service).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cobwebo-url/vulnerability/wordpress-cobwebo-url-plugin-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides detailed vulnerability information for the Cobwebo URL Plugin <=1.0, including guidance on mitigation for WordPress administrators.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5692
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in editionskezzal Cobwebo URL Plugin cobwebo-url allows Reflected XSS.This issue affects Cobwebo URL Plugin: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation via crafted malicious URLs (T1190, T1204.001) often delivered by spearphishing (T1566.002), directly facilitating browser session hijacking (T1185) and web session cookie theft (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates reflected XSS by requiring filtering and encoding of information outputs to neutralize malicious scripts reflected in web pages.
Addresses improper neutralization of input by validating and sanitizing user-supplied data in URLs before processing or reflection in the Cobwebo URL Plugin.
Ensures timely identification, reporting, and patching of the specific XSS flaw in the Cobwebo URL Plugin versions through 1.0.