CVE-2025-23847

The WordPress Site Launcher plugin versions up to and including 0.9.4 contain a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw arises from insufficient sanitization of parameters that are reflected back to the user without proper encoding, enabling an attacker to inject arbitrary HTML and JavaScript code.

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. An unauthenticated attacker can craft a malicious URL that, when visited by a privileged user (e.g., an administrator), executes the injected script in the context of the victim's browser session. This attack vector is commonly used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their size or popularity [1].

Successful exploitation allows the attacker to perform actions such as redirecting visitors to malicious sites, injecting advertisements, or stealing sensitive information [1]. The CVSS v3 score of 7.1 (High) reflects the moderate complexity and potential for widespread impact, though user interaction is required.

As of the publication date, no official patch has been released for the Site Launcher plugin [1]. Users are advised to update the plugin immediately if a patched version becomes available. Alternatively, applying a virtual mitigation rule, such as the one provided by Patchstack, can block exploitation attempts until a permanent fix can be tested and deployed [1].