CVE-2025-23668

Vulnerability

Overview The vulnerability is a Reflected Cross-Site Scripting (XSS) in the WordPress plugin ChatGPT Open AI Images & Content for WooCommerce (versions up to and including 2.2.0). It stems from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary JavaScript into a page rendered to a user.

Exploitation

Details Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. The attacker does not need authentication but depends on social engineering to lure the victim into triggering the malicious payload [1].

Impact

Successful exploitation permits the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when they visit the affected site, potentially leading to session hijacking, defacement, or further compromise [1].

Mitigation

Status As of the advisory, no official patch is available for versions ≤2.2.0; users are advised to update the plugin as soon as a fix is released. In the interim, a mitigation rule from Patchstack can block attacks. The vulnerability is expected to be used in mass-exploit campaigns [1].