CVE-2025-23814

The CRUDLab Like Box WordPress plugin (crudlab-facebook-like-box) suffers from a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 2.0.9. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary JavaScript into dynamically generated responses.

Exploitation requires user interaction: a privileged user must click a crafted link or visit a specially prepared page. The attacker does not need authentication but relies on social engineering to trick the target into performing the action. This is a typical reflected XSS pattern where the malicious payload is part of the request and reflected back in the response without proper sanitization.

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the browser of the victim, leading to actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing session cookies. The attacker could also perform actions on behalf of the target if the privilege level permits, escalating the impact within the WordPress administrative context.

The vulnerability has a CVSS v3 score of 7.1 (High) and is considered at risk for mass exploitation campaigns [1]. As of the publication date, no official patch is available, but the Patchstack advisory provides a mitigation rule to block attacks [1]. Immediate action is advised: update the plugin if a patched version becomes available, or apply the suggested virtual patch from security providers [1].