CVE-2025-23725
Published: 23 January 2025
Summary
CVE-2025-23725 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering of information output during web page generation, directly preventing reflected XSS by neutralizing malicious scripts before rendering in the victim's browser.
SI-10 enforces input validation at entry points, addressing the improper neutralization of input that enables this reflected XSS vulnerability in the WordPress plugin.
SI-2 mandates timely flaw remediation, including patching or updating the vulnerable Accessibility Task Manager plugin versions through 1.2.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing applications (T1190) and is exploited via malicious links requiring user interaction (T1204.001).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pshikli Accessibility Task Manager accessibility-task-manager allows Reflected XSS.This issue affects Accessibility Task Manager: from n/a through <= 1.2.1.
Deeper analysisAI
CVE-2025-23725 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (CWE-79), in the pshikli Accessibility Task Manager WordPress plugin (accessibility-task-manager). This issue affects all versions from n/a through 1.2.1. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and cross-origin scope change with low impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this Reflected XSS vulnerability remotely by crafting malicious inputs that are reflected in dynamically generated web pages. Exploitation requires tricking a user into interacting with a malicious link or payload (UI:R), such as via phishing, leading to arbitrary script execution in the victim's browser context. This enables limited theft of sensitive data (C:L), modification of page content (I:L), or disruption of services (A:L), amplified by the scope change to cross-origin (S:C).
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/accessibility-task-manager/vulnerability/wordpress-accessibility-task-manager-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in the WordPress Accessibility Task Manager plugin up to version 1.2.1 and provides details on detection and mitigation, including recommendations for plugin updates or hardening measures.
Details
- CWE(s)