CVE-2025-23637

Vulnerability

Description A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WordPress plugin wp-xintaoke (also known as 新淘客WordPress插件) versions up to and including 1.1.2. The plugin fails to properly neutralize input during web page generation, allowing an attacker to inject arbitrary web scripts or HTML.

Exploitation

Details This reflected XSS vulnerability requires user interaction. An attacker can craft a malicious link or form that, when clicked or submitted by an authenticated user (such as an administrator), executes the injected script in the context of the victim's browser. The attack can be performed without requiring any special network position beyond delivering the crafted request to the target user.

Impact

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, or other arbitrary HTML payloads, which will execute when other visitors access the affected site. This can lead to defacement, phishing, or further compromise of the WordPress installation.

Mitigation

As of the publication date, no official patch has been released. The plugin is end-of-life (EOL) and should be removed or replaced. A mitigation rule from Patchstack exists to block attacks until an official fix becomes available [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns.