CVE-2025-23600

The Send to a Friend Addon plugin for WordPress, up to version 1.4.1, contains a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, specifically in the send-booking-invites-to-friends functionality. This allows an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation does not require authentication, but successful execution requires a privileged user to click a crafted link or visit a specially prepared page. The attacker can deliver the payload through various means, such as a malicious URL, which then reflects the injected script back to the victim's browser [1].

The impact of successful exploitation includes the ability to execute arbitrary scripts in the context of the victim's session. This can lead to actions such as redirecting users to malicious sites, displaying unwanted advertisements, or stealing sensitive information like session tokens. The vulnerability has a CVSS v3 score of 7.1 (High) and is considered moderately dangerous, with potential for mass exploitation campaigns [1].

An official patch has not been released at the time of disclosure. However, Patchstack has provided a virtual mitigation rule that blocks attacks until a permanent fix is available. The primary remediation advice is to update the plugin to a patched version once released, or to disable the plugin if updating is not possible [1].