CVE-2025-23718

Vulnerability

Overview

CVE-2025-23718 is a reflected Cross-Site Scripting (XSS) vulnerability found in the Mancx AskMe Widget plugin for WordPress, affecting versions up to and including 0.3. The issue stems from Improper Neutralization of Input During Web Page Generation, allowing unvalidated user input to be reflected in web pages without proper sanitization [1].

Exploitation

Requirements

Exploitation requires user interaction; a privileged user must click a crafted link, visit a specially prepared page, or submit a form that triggers the vulnerable script. This interaction can be achieved through social engineering or by embedding malicious links in comments, emails, or other website communications. The attack vector is network-based, with low attack complexity [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the target site. This can be used to deliver redirects, advertisements, or other payloads that execute when visitors access the site. The consequences include defacement, phishing, or data theft, depending on the injected payload. The CVSS v3 score of 7.1 (High) reflects the potential for widespread impact [1].

Mitigation

Status

As of the publication date, no official patch has been released for versions 0.3 and below. However, the vendor (Patchstack) has issued a mitigation rule to block attacks until a permanent fix can be applied. Users are strongly advised to update the plugin immediately or contact their hosting provider for assistance if unable to do so. This vulnerability is expected to be used in mass-exploit campaigns, making timely remediation critical [1].