CVE-2025-23472

Vulnerability

Overview CVE-2025-23472 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Flexo Slider, affecting versions through 1.0013. The flaw stems from improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML or JavaScript into the response [1].

Exploitation

Conditions Exploitation requires user interaction—specifically, a victim (such as a site visitor or administrator) must click a crafted link, visit a malicious page, or submit a specially prepared form [1]. No authentication is mentioned as a prerequisite, meaning unauthenticated users can be targeted. The attack surface is the slider plugin's front-end or admin-facing components that reflect input without sanitization.

Impact

Successful injection allows the attacker to execute malicious scripts in the context of the victim’s browser session. This can lead to redirection to attacker-controlled sites, display of unauthorized advertisements, or other HTML payloads that compromise the integrity of the website for visitors [1]. While the CVSS v3 score is 7.1 (High), partial privileges may be required, and the attack typically requires user interaction [1].

Mitigation

Status Patchstack has released a virtual mitigation rule that blocks attacks until an official patch is applied [1]. Users are strongly advised to update the plugin to a patched version when available, or to contact their hosting provider for assistance. The vulnerability is considered reasonably likely to be exploited in mass campaigns, so immediate action is recommended [1].