CVE-2025-23786

High

Published: 14 February 2025

Published

14 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 26.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23786 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

SI-15 directly addresses the improper neutralization of input during web page generation by requiring output filtering to prevent reflected XSS payloads from executing in the browser.

SI-10 Information Input Validation partial match

prevent

SI-10 mitigates reflected XSS by validating and sanitizing user inputs, such as malicious links, before processing in the WordPress plugin.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely remediation of the specific flaw in the Email to Download plugin versions <=3.1.0 by identifying, prioritizing, and patching the XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1056.001 Keylogging Collection

Adversaries may log user keystrokes to intercept credentials as the user types them.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables T1190 for exploitation; facilitates T1185 for session hijacking, T1056.001 for keylogging, and T1539 for stealing web session cookies via client-side script execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DuoGeek Email to Download email-to-download allows Reflected XSS.This issue affects Email to Download: from n/a through <= 3.1.0.

Deeper analysisAI

CVE-2025-23786 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the DuoGeek Email to Download WordPress plugin. This issue affects all versions of the plugin from an unspecified initial release through 3.1.0. The vulnerability was published on 2025-02-14 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it necessitates user interaction, such as a victim clicking a malicious link containing the XSS payload. Upon successful exploitation, attackers achieve low impacts on confidentiality, integrity, and availability within a changed security scope, potentially allowing theft of session cookies, keystroke logging, or other client-side attacks against the interacting user.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability in the WordPress Email to Download plugin version 3.1.0.

Details

CWE(s): CWE-79

CVEs Like This One

CVE-2026-2834Shared CWE-79

CVE-2026-28683Shared CWE-79

CVE-2026-2568Shared CWE-79

CVE-2025-0817Shared CWE-79

CVE-2026-24665Shared CWE-79

CVE-2026-32728Shared CWE-79

CVE-2026-2072Shared CWE-79

CVE-2024-55227Shared CWE-79

CVE-2025-25062Shared CWE-79

CVE-2024-51700Shared CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com