CVE-2025-23888
Published: 24 January 2025
Summary
CVE-2025-23888 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23888 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the GrandSlambert Custom Page Extensions WordPress plugin (custom-page-extensions). This issue affects all versions from n/a through 0.6 inclusive. The vulnerability was published on 2025-01-24 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, but it requires user interaction, such as clicking a malicious link. Exploitation enables reflected XSS, allowing attackers to inject and execute arbitrary scripts in the context of a victim's browser, potentially leading to low impacts on confidentiality, integrity, and availability within a changed security scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/custom-page-extensions/vulnerability/wordpress-custom-page-extensions-plugin-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the vulnerability specifically in Custom Page Extensions version 0.6 for WordPress.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3506
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GrandSlambert Custom Page Extensions custom-page-extensions allows Reflected XSS.This issue affects Custom Page Extensions: from n/a through <= 0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS requires clicking a malicious link (T1204.001) and directly enables arbitrary JavaScript execution in the victim's browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering information prior to web page generation to prevent reflected XSS by neutralizing malicious scripts in outputs.
SI-10 enforces validation of user inputs to block malicious payloads that enable reflected XSS in the WordPress plugin.
SI-2 mandates timely flaw remediation, directly addressing the improper input neutralization vulnerability in Custom Page Extensions versions through 0.6.