CVE-2025-23857
Published: 14 February 2025
Summary
CVE-2025-23857 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Smartdatasoft Essential Wp Real Estate. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters information outputs to neutralize malicious scripts before rendering in web pages, directly addressing improper neutralization during web page generation in this reflected XSS vulnerability.
Validates user inputs to block malicious payloads from being processed and reflected, preventing exploitation of the input neutralization flaw in the WordPress plugin.
Requires timely identification, reporting, and patching of flaws like this XSS vulnerability in the Essential WP Real Estate plugin up to version 1.1.3.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS via crafted URLs enables drive-by compromise (T1189) when users visit the vulnerable site; the attack vector of tricking users with malicious links aligns with spearphishing link delivery (T1566.002).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SmartDataSoft Essential WP Real Estate essential-wp-real-estate allows Reflected XSS.This issue affects Essential WP Real Estate: from n/a through <= 1.1.3.
Deeper analysisAI
CVE-2025-23857 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79. It affects the Essential WP Real Estate WordPress plugin developed by SmartDataSoft (essential-wp-real-estate), impacting all versions from n/a through 1.1.3 inclusive. The issue was published on 2025-02-14.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity and no required privileges, though user interaction is necessary. Remote attackers can exploit it by tricking authenticated or unauthenticated users—such as site visitors—into interacting with malicious input, like a crafted URL. This leads to arbitrary script execution in the victim's browser context, with changed scope enabling low impacts on confidentiality, integrity, and availability.
The Patchstack advisory provides details on this reflected XSS issue in Essential WP Real Estate plugin version 1.1.3, accessible at https://patchstack.com/database/Wordpress/Plugin/essential-wp-real-estate/vulnerability/wordpress-essential-wp-real-estate-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve. Security practitioners should review it for recommended mitigations, such as applying available patches or updates beyond version 1.1.3.
Details
- CWE(s)