Cyber Resilience

CVE-2025-23798

High

Published: 22 January 2025

Published
22 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0022 45.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23798 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Buddypress Buddypress. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23798 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the ElbowRobo Mass Messaging in BuddyPress WordPress plugin (mass-messaging-in-buddypress). It affects all versions from n/a through 2.2.1.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Unauthenticated attackers can exploit it by tricking users into interacting with crafted input reflected in web pages, enabling arbitrary script execution in the victim's browser context with changed scope, resulting in low impacts to confidentiality, integrity, and availability.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/mass-messaging-in-buddypress/vulnerability/wordpress-mass-messaging-in-buddypress-plugin-2-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue in version 2.2.1, providing details for security practitioners to assess and address exposure in affected WordPress environments.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ElbowRobo Mass Messaging in BuddyPress mass-messaging-in-buddypress allows Reflected XSS.This issue affects Mass Messaging in BuddyPress: from n/a through <= 2.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS requires user interaction via crafted malicious link (T1204.001) to trigger arbitrary JavaScript execution in browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-26583Shared CWE-79
CVE-2026-24943Shared CWE-79
CVE-2025-22711Shared CWE-79
CVE-2025-23736Shared CWE-79
CVE-2025-23885Shared CWE-79
CVE-2025-23624Shared CWE-79
CVE-2025-23888Shared CWE-79
CVE-2024-13891Shared CWE-79
CVE-2025-68894Shared CWE-79
CVE-2025-23492Shared CWE-79

Affected Assets

buddypress
buddypress
≤ 2.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information output filtering directly prevents reflected XSS by ensuring untrusted input is sanitized before rendering in web pages.

prevent

Information input validation enforces proper neutralization of user inputs, addressing the root cause of improper input handling in the vulnerable plugin.

prevent

Flaw remediation requires timely patching of the specific XSS vulnerability in the Mass Messaging in BuddyPress plugin up to version 2.2.1.

References