CVE-2025-23752

Vulnerability

Overview The CGD Arrange Terms plugin for WordPress (shopp-arrange) versions up to and including 1.1.3 suffer from a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This means the plugin fails to sanitize or escape user-supplied data before outputting it, allowing an attacker to inject arbitrary HTML and JavaScript. [1]

Exploitation

Details Exploitation requires user interaction: a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form. The attacker does not need authentication but relies on tricking an authenticated user into performing an action. This makes the vulnerability suitable for mass exploitation campaigns targeting WordPress sites. [1]

Impact

Successful exploitation enables an attacker to inject malicious scripts that can execute in the context of the victim's browser. This can lead to redirects to malicious sites, display of unwanted advertisements, theft of session cookies, or other actions that compromise the site's integrity and user trust. [1]

Mitigation

The vendor has not released an official patch as of the publication date, but Patchstack has provided a mitigation rule to block attacks. Users are strongly advised to update the plugin to a patched version once available, or apply the mitigation rule. Immediate action is recommended due to the potential for mass exploitation. [1]