CVE-2025-23570

Vulnerability

Overview CVE-2025-23570 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin WP Social Links, affecting versions up to and including 0.3.1. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response [1].

Exploitation

Details Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The vulnerability can be triggered by any unauthenticated user, but successful execution depends on a privileged user (e.g., an administrator) performing an action like clicking the malicious link. This makes it suitable for mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. This could lead to redirects, display of advertisements, or other HTML payloads, potentially compromising the site's integrity and user trust [1].

Mitigation

As of the publication date, no official patch has been released. The vendor recommends updating the plugin immediately. In the interim, a mitigation rule from Patchstack is available to block attacks until a tested patch can be applied [1].