Cyber Posture

CVE-2025-23742

High

Published: 14 February 2025

Published
14 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0011 29.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23742 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Filters information prior to output in web pages, directly preventing reflected XSS by neutralizing malicious scripts in unsanitized input.

SI-10 Information Input Validation good match
prevent

Validates inputs to the WordPress plugin, rejecting or sanitizing payloads that could be reflected as executable scripts.

SI-2 Flaw Remediation good match
prevent

Remediates the improper neutralization flaw in podamibe-twilio-private-call versions <=1.0.1 through timely patching.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Reflected XSS allows script injection via malicious links (Spearphishing Link) and enables JavaScript execution in the victim's browser context.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podamibe Nepal Podamibe Twilio Private Call podamibe-twilio-private-call allows Reflected XSS.This issue affects Podamibe Twilio Private Call: from n/a through <= 1.0.1.

Deeper analysisAI

CVE-2025-23742 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Podamibe Twilio Private Call WordPress plugin (podamibe-twilio-private-call) developed by Podamibe Nepal. The issue affects all versions from n/a through 1.0.1, allowing attackers to inject malicious scripts via unsanitized input reflected in web page generation.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable remotely over the network by unauthenticated attackers with low attack complexity, provided they can induce user interaction, such as clicking a malicious link. Successful exploitation enables script execution in the context of the victim's browser, potentially compromising low levels of confidentiality, integrity, and availability while changing the scope to impact the client-side security context.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/podamibe-twilio-private-call/vulnerability/wordpress-podamibe-twilio-private-call-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS flaw in Podamibe Twilio Private Call plugin version 1.0.1, providing details for WordPress administrators to assess and address exposure in affected installations.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2026-32517Shared CWE-79
CVE-2025-23889Shared CWE-79
CVE-2025-23432Shared CWE-79
CVE-2025-26554Shared CWE-79
CVE-2025-23521Shared CWE-79
CVE-2024-56296Shared CWE-79
CVE-2025-23544Shared CWE-79
CVE-2025-23536Shared CWE-79
CVE-2025-23523Shared CWE-79
CVE-2025-23575Shared CWE-79

References