CVE-2025-23843

Vulnerability

Description The WP-HR Manager plugin for WordPress (versions ≤3.1.0) contains a reflected cross-site scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript into a web page, which can be executed in the context of a victim's browser session.

### Exploitation & Prerequisites The vulnerability is classified as reflected XSS, meaning the injected script is reflected off the web server immediately. Exploitation requires user interaction — the victim must click a crafted link, visit a specially crafted page, or submit a malicious form [1]. No authentication is required to trigger the flaw, making it accessible to unauthenticated attackers. As noted in the advisory, this type of vulnerability is frequently used in mass exploitation campaigns targeting WordPress sites regardless of traffic size [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads. When the victim visits the affected page, the injected script executes, potentially leading to session hijacking, defacement, or redirection to malicious sites [1]. The CVSS score is 7.1 (High), reflecting the moderate complexity but significant potential for abuse.

Mitigation

The vendor has released version 3.2.0, which fixes the vulnerability. Users are strongly advised to update immediately [1]. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until the patch is applied [1].