CVE-2025-23576

Vulnerability

Overview The WP Intro.JS plugin (versions up to and including 1.1) contains a reflected cross-site scripting (XSS) vulnerability, as documented in the Patchstack advisory [1]. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript or HTML into the rendered output.

Exploitation

Details This reflected XSS requires user interaction, such as clicking a crafted link or submitting a specially designed form [1]. The attacker does not need high privileges but must trick a site visitor (including administrators) into performing the action. Because the vulnerability is reflected, the malicious payload is executed in the context of the victim's browser session.

Impact

Successful exploitation enables the attacker to inject malicious scripts—including redirects, advertisements, or other payloads—into the vulnerable page [1]. These scripts execute when other users visit the affected page, potentially leading to session hijacking, defacement, or further compromise of the WordPress site. Patchstack notes that this vulnerability is moderately dangerous and expected to be used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

Status The vendor has not released an official patch, but Patchstack offers a mitigation rule to block attacks until an update can be safely applied [1]. The immediate recommended action is to update the plugin as soon as a fixed version becomes available, or to contact the hosting provider for assistance [1].