CVE-2025-23619

The Catch Duplicate Switcher plugin for WordPress versions up to and including 2.0 suffers from a reflected cross-site scripting (XSS) vulnerability. The issue stems from improper neutralization of user-supplied input during web page generation, enabling attackers to inject arbitrary HTML and JavaScript into pages.

Exploitation does not require authentication but does require user interaction. An attacker can craft a malicious link containing the XSS payload and trick a privileged user (such as an administrator) into clicking it. The payload is reflected back and executed in the context of the victim's browser session.

Successful exploitation allows an attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive information. The vulnerability is rated with a CVSS v3 score of 7.1 (High) and is considered likely to be exploited in mass campaigns targeting WordPress sites.

Users are strongly advised to update the plugin to a patched version if available. For immediate protection, Patchstack offers a virtual mitigation rule that blocks attacks until an official patch can be applied and tested [1].