CVE-2025-23553

Vulnerability

Overview

The Userbase Access Control plugin for WordPress (versions up to and including 1.0) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into a response that is immediately reflected back to the user's browser.

Exploitation

Details

Exploitation requires user interaction: a victim (typically a site administrator or privileged user) must click a malicious link, visit a specially crafted page, or submit a form designed by the attacker [1]. No authentication is needed for the attacker to craft the payload, but the victim must be logged into the WordPress site for the injected script to execute in the context of the admin session.

Impact

Successful exploitation enables the attacker to execute malicious scripts in the victim's browser. This can lead to actions such as redirecting visitors to malicious sites, injecting advertisements, stealing session cookies, or performing other actions on behalf of the victim within the WordPress admin dashboard [1]. Given the plugin's limited user base, the vulnerability is expected to be used in automated mass-exploit campaigns targeting numerous WordPress sites.

Mitigation

Users should immediately update the plugin to a patched version if available. As of the publication date, no official patch has been released, but Patchstack has issued a mitigation rule to block attacks until an update can be safely applied [1]. Site administrators unable to update should consult their hosting provider or a web developer for assistance.