CVE-2025-23714

High

Published: 26 March 2025

Published

26 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0018 39.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23714 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 requires output filtering to neutralize untrusted inputs during web page generation, directly preventing reflected XSS payloads from executing in victims' browsers.

SI-10 Information Input Validation good match

prevent

SI-10 enforces validation of information inputs, rejecting crafted XSS payloads before they can be reflected in the AppReview plugin's web pages.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification and remediation of flaws like this reflected XSS vulnerability through timely patching of the AppReview plugin to versions beyond 0.2.9.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Reflected XSS allows crafted malicious links to trigger arbitrary JavaScript execution in victims' browsers, directly enabling drive-by compromise of user systems.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in podspod AppReview appreview allows Reflected XSS.This issue affects AppReview: from n/a through <= 0.2.9.

Deeper analysisAI

CVE-2025-23714 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the podspod AppReview (appreview) WordPress plugin. The issue impacts all versions from an unspecified initial release through 0.2.9.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network with low attack complexity, requiring no privileges but user interaction such as clicking a malicious link. Any unauthenticated remote attacker can deliver crafted payloads reflected in web pages, potentially executing arbitrary scripts in the victim's browser context to achieve limited impacts on confidentiality, integrity, and availability within a changed security scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/appreview/vulnerability/wordpress-appreview-plugin-0-2-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the Reflected XSS vulnerability in AppReview plugin version 0.2.9, recommending mitigation through updating to a version beyond 0.2.9 where the issue is addressed.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2025-28855Shared CWE-79

CVE-2025-68871Shared CWE-79

CVE-2025-22594Shared CWE-79

CVE-2025-23852Shared CWE-79

CVE-2025-30223Shared CWE-79

CVE-2026-22438Shared CWE-79

CVE-2025-26586Shared CWE-79

CVE-2025-46410Shared CWE-79

CVE-2025-23489Shared CWE-79

CVE-2026-28113Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/appreview/vulnerability/wordpress-appreview-plugin-0-2-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com