CVE-2025-23482

Vulnerability

Overview The azurecurve Floating Featured Image plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This issue affects all versions up to and including 2.2.0.

Exploitation

Details The vulnerability can be triggered without authentication, but successful exploitation requires user interaction. An attacker can craft a malicious link containing the XSS payload and trick a legitimate user (such as an administrator) into clicking it. When the victim accesses the link, the injected script executes in the context of their browser session [1].

Impact

A successful attack allows the attacker to inject arbitrary HTML and JavaScript into the WordPress admin panel. This can be used to perform actions like redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive information such as session cookies. The vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns [1].

Mitigation

As an immediate action, users should update the plugin to the latest available version. If updating is not possible, applying a security mitigation rule (e.g., from Patchstack) can block exploitation attempts until a full patch is applied [1].