CVE-2025-23524

Vulnerability

Overview

The ClickBank Storefront WordPress plugin (mycbgenie-clickbank-storefront) versions up to 1.7 are vulnerable to Reflected Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript code into a response page.

Exploitation

Details

To exploit this vulnerability, an attacker must craft a malicious URL containing the injected script and trick a privileged user (e.g., administrator) into clicking it [1]. User interaction is required, as the victim must visit the crafted link. The attack does not require authentication from the attacker, but relies on a logged-in user performing an action.

Impact

Successful exploitation enables the attacker to execute arbitrary HTML and JavaScript in the context of the affected WordPress site [1]. This could lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information from visitors. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns.

Mitigation

The vendor recommends updating the plugin to a patched version as soon as available [1]. As an immediate workaround, Patchstack has released a virtual patch to block attacks until an official fix can be applied. Users unable to update should contact their hosting provider for assistance.