CVE-2025-23850

Vulnerability

Overview The Mojo Under Construction plugin for WordPress versions up to and including 1.1.2 contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during page generation. This means that user-supplied data is not properly sanitized before being included in the output, allowing an attacker to inject arbitrary HTML or JavaScript code into the response [1].

Exploitation

Method The vulnerability is classified as reflected XSS, requiring user interaction from a privileged user (such as an administrator) who must click a malicious link, visit a specially crafted page, or submit a form. The attack can be initiated by an unauthenticated or low-privileged user, but exploitation depends on a higher-privileged user performing an action that triggers the reflected payload [1]. This makes the attack vector plausible in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

If successfully exploited, the attacker can inject malicious scripts that execute in the context of the victim's browser. This may lead to actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing sensitive information like session cookies. The CVSS v3 score of 7.1 (High) reflects the moderate impact and the requirement for user interaction [1].

Mitigation

The official advice is to update the plugin to a patched version immediately if available; as of the advisory, no automatic patch has been released. For immediate protection, Patchstack provides a mitigation rule that blocks attacks until an official update can be tested and safely applied [1]. Users unable to update are advised to contact their hosting provider or web developer for assistance.