CVE-2025-23479

Vulnerability

Overview

The melascrivi plugin for WordPress (versions up to and including 1.4) suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during page generation. The plugin does not adequately filter or escape input before including it in web pages, which enables an attacker to inject arbitrary HTML and JavaScript code. [1]

Attack

Vector and Requirements

Exploitation requires user interaction — a victim must click a crafted malicious link, visit a specially prepared page, or submit a form. No elevated privileges are needed to initiate the attack, but the target user must perform the action. This makes the vulnerability well-suited for mass exploitation campaigns against thousands of WordPress sites, regardless of their popularity or traffic size. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser within the context of the affected WordPress site. This could be used to perform actions like redirecting users to malicious sites, displaying unauthorized advertisements, or stealing session cookies. The CVSS v3 score is 7.1 (High), reflecting the potential for significant impact with moderate risk factors. [1]

Remediation

Status

As an immediate action, users should update the melascrivi plugin to a patched version if available. If an update is not yet released, users are advised to contact their hosting provider or web developer for assistance. Patchstack has also issued a mitigation rule that can block attacks until an official fix is applied and tested. [1]