CVE-2025-23451

Vulnerability

Overview CVE-2025-23451 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Awesome Twitter Feeds, affecting all versions up to and including 1.0. The flaw resides in improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML or JavaScript into a page response [1].

Exploitation

Details An unauthenticated attacker can exploit this by crafting a malicious link that, when clicked by an authenticated WordPress user, reflects the injected script back to the victim's browser. User interaction is required—the victim must click the link or visit a crafted page [1]. The attack does not require any special privileges beyond standard user access.

Impact

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the victim's browser session. This could lead to actions such as redirecting users to malicious sites, displaying misleading advertisements, or stealing sensitive session data [1].

Mitigation

The vulnerability is considered moderately dangerous and is expected to be targeted in mass-exploit campaigns. As of the advisory, no official patch is available; however, Patchstack has released a mitigation rule to block attacks until an update can be applied [1]. Users are strongly advised to update the plugin immediately or contact their hosting provider for assistance.