CVE-2025-23740

Vulnerability

Overview CVE-2025-23740 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Easy School Registration, versions up to and including 3.9.8. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary scripts [1].

Exploitation

Details The vulnerability is classified as reflected XSS and requires user interaction. An attacker can craft a malicious link or form that, when clicked or submitted by a victim with appropriate privileges, executes injected script code in the context of the victim's browser [1]. The attack does not require prior authentication for the attacker, but the victim must be authenticated and perform an action.

Impact

Successful exploitation could allow an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads. These scripts execute when other users visit the affected site, potentially leading to session hijacking, defacement, or phishing attacks [1].

Mitigation

Users should immediately update the Easy School Registration plugin to a patched version. As a temporary measure, Patchstack has issued a mitigation rule to block attacks until an official update is deployed [1].