CVE-2025-23744

The WordPress plugin Random Posts, Mp3 Player + ShareButton (versions up to and including 1.4.1) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The flaw resides in the random-posts-mp3-player-sharebutton component, which fails to sanitize or escape input before reflection in HTTP responses [1].

Exploitation requires user interaction: an attacker must trick a privileged user (e.g., an administrator) into clicking a crafted link or visiting a specially constructed page. No authentication is needed to deliver the malicious payload, but the target user must be logged into the WordPress site for the injected script to execute in the context of that session [1].

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript, which can be used to redirect visitors, display advertisements, or perform other actions within the website's security context. This can lead to data theft, session hijacking, or defacement [1].

As of the advisory date, no official patch is available for version 1.4.1, but the Patchstack team has released a virtual mitigation rule. Users are strongly advised to update the plugin to a patched version if and when one becomes available, or apply the mitigation rule provided by Patchstack to block attacks [1].