CVE-2025-23585

The Goo.gl Url Shorter plugin for WordPress versions 1.0.1 and earlier contain a reflected cross-site scripting (XSS) vulnerability. The vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response.

Exploitation requires user interaction, typically through clicking a malicious link or visiting a specially crafted page. The attacker does not need authentication but must convince a user (e.g., an administrator) to interact with the crafted URL. This is a reflected XSS, meaning the payload is executed immediately in the victim's browser.

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser session. This can be used to steal cookies, redirect users to malicious sites, display advertisements, or perform other actions that compromise the integrity of the affected WordPress site.

The vendor has not released a patch, but Patchstack has issued a virtual mitigation rule to block attacks until an official fix is available [1]. Users are advised to update the plugin as soon as a patched version is released, or apply the mitigation rule provided by Patchstack. The vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns [1].