CVE-2025-23516

The Sale with Razorpay WordPress plugin (versions up to 1.0) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means the plugin fails to sanitize or escape input before including it in output, allowing an attacker to inject arbitrary HTML and JavaScript.

Exploitation requires a privileged user, such as an administrator, to interact with a crafted link or visit a specially prepared page [1]. The attacker does not need authentication but must trick the victim into clicking the malicious URL. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, cookie theft, redirection to malicious sites, injection of advertisements, or defacement of the website [1]. The impact is amplified if the victim has elevated privileges, potentially allowing full site compromise.

As of the publication date, no official patch has been released, but Patchstack has provided a mitigation rule to block attacks until an update is available [1]. Users are strongly advised to update the plugin immediately or apply the recommended workaround to protect their sites.