CVE-2025-23850
Published: 03 March 2025
Summary
CVE-2025-23850 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Information Output Filtering directly prevents reflected XSS by encoding or filtering user input reflected in web page generation to block JavaScript execution.
Information Input Validation ensures malicious inputs are checked and rejected before processing, mitigating improper neutralization leading to XSS in the WordPress plugin.
Flaw Remediation requires timely patching of the vulnerable Mojo Under Construction plugin versions up to 1.1.2 to eliminate the XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in a public-facing WordPress plugin allows remote attackers to execute arbitrary JavaScript in the victim's browser by exploiting the web application (T1190) and using JavaScript as a scripting interpreter (T1059.007).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojowill Mojo Under Construction mojo-under-construction allows Reflected XSS.This issue affects Mojo Under Construction: from n/a through <= 1.1.2.
Deeper analysisAI
CVE-2025-23850 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Mojo Under Construction WordPress plugin by mojowill. This issue affects the plugin from unknown initial versions through version 1.1.2 inclusive. The vulnerability was published on 2025-03-03.
The CVSS v3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with changed scope and low impacts on confidentiality, integrity, and availability. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with malicious input, such as clicking a crafted link, leading to execution of arbitrary JavaScript in the victim's browser context.
The Patchstack advisory provides further details on the vulnerability in the WordPress Mojo Under Construction plugin version 1.1.2, including remediation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/mojo-under-construction/vulnerability/wordpress-mojo-under-construction-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)