CVE-2025-23555

The WordPress plugin Ui Slider Filter By Price (versions up to and including 1.1) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This type of flaw, categorized under CWE-79, occurs when the plugin fails to validate or encode input before reflecting it in a response, enabling script injection.

Exploitation requires user interaction: a privileged user must click a crafted link, visit a malicious page, or submit a specially crafted form [1]. The attack surface is the plugin's handling of parameters in the URL or form data, which are echoed back without sanitization. No authentication beyond the victim's session is needed to deliver the payload, making it a classic reflected XSS vector.

Successful exploitation could allow an attacker to inject arbitrary HTML and JavaScript into the victim's browser. This can be leveraged to perform actions like redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies [1]. The CVSS v3.1 base score is 7.1 (High), reflecting the risk of widespread automated attacks.

As of the publication date, an official patch may not be available, but Patchstack has issued a mitigation rule to block attacks until an update can be safely applied [1]. The vendor (chenyenming) has not released a fix, and users are advised to update the plugin immediately if a patched version becomes available, or to contact their hosting provider for assistance [1].