CVE-2025-23709
Published: 22 January 2025
Summary
CVE-2025-23709 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23709 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the kiroro Formatted post WordPress plugin. This issue affects all versions of the plugin from n/a through 1.01. The vulnerability was published on 2025-01-22 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation changes the scope to the site's context, enabling arbitrary script execution in the victim's browser. This can result in low-level impacts to confidentiality, integrity, and availability, such as session hijacking or data theft within the site's domain.
Patchstack's advisory documents this Reflected XSS vulnerability specifically in the WordPress Formatted Post plugin version 1.01, providing details available at https://patchstack.com/database/Wordpress/Plugin/formatted-post/vulnerability/wordpress-formatted-post-plugin-1-01-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3362
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kiroro Formatted post formatted-post allows Reflected XSS.This issue affects Formatted post: from n/a through <= 1.01.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables remote exploitation of the web application (T1190) resulting in arbitrary JavaScript execution in the victim's browser (T1059.007), with potential for session hijacking as noted in the description.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates reflected XSS by filtering outputs during web page generation to neutralize malicious scripts in the kiroro Formatted post plugin.
Prevents exploitation of the improper input neutralization vulnerability by validating inputs to block XSS payloads before reflection.
Addresses the specific CVE by identifying and remediating the flaw in the Formatted post plugin versions through timely patching.