CVE-2025-23595

Vulnerability

Overview The Page Health-O-Meter WordPress plugin versions up to and including 2.0 are vulnerable to reflected cross-site scripting (XSS). The flaw stems from improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary JavaScript or HTML into the application's response.

Exploitation

Details The attack does not require any prior authentication, making it exploitable by unauthenticated attackers. However, successful exploitation does require user interaction; the victim must click a crafted link or visit a specially crafted URL. An attacker can deliver the malicious link via email, social media, or other channels, targeting any user including site administrators [1].

Impact

A successful attack enables the attacker to execute malicious scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or injection of advertisements and other HTML content into the affected site [1]. The CVSS v3 base score is 7.1 (High), indicating moderate to severe risk.

Mitigation

The plugin has not yet received an official patch. As an immediate mitigation, users should update the plugin as soon as a patched version becomes available. If updating is not possible, site administrators should consider using a web application firewall (WAF) or a security plugin rule, such as those provided by Patchstack, to block exploit attempts until a fix can be applied [1].