CVE-2025-23726
Published: 03 March 2025
Summary
CVE-2025-23726 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering of information prior to output to users, directly addressing improper neutralization during web page generation that enables reflected XSS in ComparePress.
SI-10 mandates validation of all information inputs, preventing malicious payloads from being accepted and reflected in responses for this XSS vulnerability.
SI-2 ensures timely remediation of flaws like the reflected XSS in ComparePress versions <=2.0.8 through patching and updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates browser session hijacking through arbitrary script execution in the victim's browser (T1185).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thebloghouse ComparePress comparepress allows Reflected XSS.This issue affects ComparePress: from n/a through <= 2.0.8.
Deeper analysisAI
CVE-2025-23726 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ComparePress WordPress plugin developed by thebloghouse. This issue affects ComparePress versions from n/a through 2.0.8 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, user interaction needed, and changed scope with low impacts to confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted input, such as a specially prepared link or form submission, leading to arbitrary script execution in the victim's browser within the site's context.
The Patchstack advisory provides details on this vulnerability in the ComparePress plugin version 2.0.8 at https://patchstack.com/database/Wordpress/Plugin/comparepress/vulnerability/wordpress-comparepress-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)