CVE-2025-23721

Vulnerability

Overview

The Mobigate plugin for WordPress (versions up to and including 1.0.3) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a response, which is then executed in the victim's browser.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. The attacker does not need prior authentication, but the target user must be logged into the WordPress site for the injected script to run in a privileged context. The vulnerability can be triggered remotely, making it suitable for mass-exploitation campaigns against any site running the vulnerable plugin [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or defacement of the website [1]. The CVSS score of 7.1 (High) reflects the moderate complexity and potential for widespread abuse.

Mitigation

As of the publication date, no official patch has been released for the Mobigate plugin. Users are advised to update the plugin as soon as a fix becomes available. In the interim, Patchstack has issued a mitigation rule to block attacks until an official patch can be tested and applied [1]. Site administrators should consider disabling the plugin if immediate mitigation is not possible.