CVE-2025-23564

Vulnerability

Overview The WP FixTag plugin for WordPress versions up to and including 2.0.2 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into the application's response.

Exploitation

Conditions The vulnerability is classified as reflected XSS, meaning the malicious payload is provided via a crafted request (e.g., a URL parameter) and is immediately reflected back in the server's response [1]. Exploitation requires user interaction, such as a victim clicking a specially crafted link or visiting a malicious page. The attacker does not need prior authentication, but the victim must be logged into the WordPress site for the injected script to execute in a privileged context.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to redirect users to malicious sites, display unwanted advertisements, steal session cookies, or perform actions on behalf of the victim [1]. The vulnerability has a CVSS score of 7.1 (High) and is expected to be used in mass exploitation campaigns.

Mitigation

Users are advised to update the WP FixTag plugin to a patched version as soon as available. As an immediate workaround, the Patchstack platform provides a virtual mitigation rule that blocks attacks until an official patch is released [1]. Administrators who cannot update immediately should consult their hosting provider for assistance.