CVE-2025-23746
Published: 22 January 2025
Summary
CVE-2025-23746 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23746 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79, in the Edem CMC MIGRATE (cmc-migrate) WordPress plugin. This issue affects versions from n/a through <= 0.0.3. Published on 2025-01-22T15:15:22.783, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated remote attacker with network access can exploit this vulnerability by crafting malicious input that is reflected without proper neutralization during web page generation. Exploitation requires low complexity and user interaction, such as a victim clicking a malicious link. Upon success, the attacker achieves a changed scope with low impacts on confidentiality, integrity, and availability, typically allowing arbitrary JavaScript execution in the victim's browser context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cmc-migrate/vulnerability/wordpress-cmc-migrate-plugin-0-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3384
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Edem CMC MIGRATE cmc-migrate allows Reflected XSS.This issue affects CMC MIGRATE: from n/a through <= 0.0.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables exploitation via crafted malicious links requiring user interaction for JS execution in browser.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly and comprehensively mitigates reflected XSS by requiring output filtering to neutralize malicious input during web page generation in the cmc-migrate plugin.
SI-10 addresses reflected XSS by validating user inputs to reject malicious payloads before they are processed and reflected by the vulnerable WordPress plugin.
SI-2 ensures timely identification, reporting, and patching of the specific improper neutralization flaw in cmc-migrate versions through <= 0.0.3.