CVE-2025-23812
Published: 22 January 2025
Summary
CVE-2025-23812 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses improper neutralization of input by enforcing validation of user inputs to prevent malicious XSS payloads from being accepted and reflected.
SI-15 mitigates reflected XSS by filtering and encoding information outputs, ensuring user-supplied data is safely rendered in web pages.
SI-2 ensures flaw remediation through patching the vulnerable WordPress plugin, eliminating the specific XSS vulnerability in Contact Form 7 Round Robin Lead Distribution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables exploitation via crafted malicious links delivered through spearphishing (T1566.002) or user execution (T1204.001), allowing arbitrary JS execution in the browser for session hijacking or data theft.
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Jeffrey Contact Form 7 Round Robin Lead Distribution contact-form-7-round-robin-lead-distribution allows Reflected XSS.This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through <= 1.2.1.
Deeper analysisAI
CVE-2025-23812 is an improper neutralization of input during web page generation vulnerability, classified as reflected cross-site scripting (XSS) under CWE-79, affecting the WordPress plugin Contact Form 7 Round Robin Lead Distribution (contact-form-7-round-robin-lead-distribution) in all versions up to and including 1.2.1. Published on 2025-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, and scope change despite requiring user interaction.
Remote attackers with no privileges can exploit this vulnerability over the network by crafting malicious input that reflects unsanitized on a web page, tricking users into interacting with it, such as via a phishing link or form submission. Successful exploitation executes arbitrary JavaScript in the victim's browser context with changed scope, enabling low-impact compromise of confidentiality, integrity, and availability, such as session hijacking or minor data theft within the site's domain.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-round-robin-lead-distribution/vulnerability/wordpress-contact-form-7-round-robin-lead-distribution-plugin-1-2-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the plugin.
Details
- CWE(s)