CVE-2025-23697
Published: 22 January 2025
Summary
CVE-2025-23697 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23697 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the WordPress plugin Podčlánková inzerce (podclankova-inzerce). This issue affects all versions of the plugin from n/a through 2.4.0.
The vulnerability can be exploited by remote attackers with no required privileges over the network, though it requires user interaction such as clicking a malicious link. Successful exploitation allows attackers to inject and execute arbitrary scripts in the context of the victim's browser, potentially leading to low impacts on confidentiality, integrity, and availability, with a changed scope as per the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/podclankova-inzerce/vulnerability/wordpress-podclankova-inzerce-plugin-2-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3353
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webdeal Podčlánková inzerce podclankova-inzerce allows Reflected XSS.This issue affects Podčlánková inzerce: from n/a through <= 2.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in the victim's browser when a user clicks a crafted malicious link, directly facilitating T1204.001 (Malicious Link) for user execution and T1059.007 (JavaScript) for script interpretation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering of information outputs to neutralize malicious scripts before they are rendered in web pages, directly preventing reflected XSS exploitation in the WordPress plugin.
SI-10 enforces validation of user inputs to reject or sanitize malicious payloads that could be reflected as executable scripts in the vulnerable plugin.
SI-2 mandates timely identification and remediation of flaws like CVE-2025-23697 through patching the affected Podčlánková inzerce plugin versions.