CVE-2025-23575

Vulnerability

Overview

The plugin DX Sales CRM (dx-sales-crm) for WordPress, up to version 1.1, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This enables an attacker to inject arbitrary HTML or JavaScript into the response, which the victim's browser then executes [1].

Exploitation

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. The attacker does not need authentication, but the victim must perform an action (e.g., click) for the payload to execute. This type of vulnerability is commonly used in mass-exploit campaigns targeting WordPress sites regardless of their popularity [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts — for example, redirecting visitors to malicious sites, displaying fraudulent advertisements, or stealing session tokens. The CVSS v3 base score is 7.1 (High), indicating serious potential for harm [1].

Mitigation

As of the advisory date (2025-03-03), no official patch is available. Users are urged to update the plugin as soon as a patched version is released. In the interim, hosting providers or web developers can apply a mitigation rule provided by Patchstack to block attack attempts [1].