CVE-2025-23539

Vulnerability

Overview

The Awesome Hooks plugin for WordPress versions up to and including 1.0.1 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The flaw exists in the awesome-hooks component, where unsanitized parameters are reflected back to the user, allowing arbitrary script injection. [1]

Exploitation

Details

An attacker can exploit this by crafting a malicious URL containing JavaScript payload, which, when visited by a privileged user (e.g., an administrator), executes in the context of the victim's browser. No authentication is required to trigger the reflective behavior, but successful exploitation requires user interaction such as clicking the crafted link or submitting a form. This pattern is typical of reflected XSS attacks targeting WordPress plugins.[1]

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the admin or public-facing pages of the site. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions on behalf of the victim user. The published CVSS v3 score of 7.1 (High) reflects the potential for significant impact via script injection requiring some user interaction. [1]

Mitigation

The vendor has not released an official patch at the time of publication, but Patchstack has issued a virtual mitigation rule that blocks exploitation attempts. Users are strongly advised to update the plugin to a patched version as soon as it becomes available, or to contact their hosting provider or web developer for assistance. The vulnerability is considered likely to be included in mass-exploit campaigns.[1]