CVE-2025-23737 Overview
CVE-2025-23737 is a reflected Cross-Site Scripting (XSS) vulnerability in the thobian Network-Favorites WordPress plugin. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Attackers can inject malicious scripts that execute in a victim's browser when the victim clicks a crafted link. The vulnerability affects all versions of Network-Favorites up to and including 1.1. Successful exploitation requires user interaction but no authentication. The issue was published to the National Vulnerability Database (NVD) on January 24, 2025.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of a victim's session, leading to session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated WordPress users including administrators.
Affected Products
- thobian Network-Favorites plugin for WordPress
- All versions from n/a through 1.1 (inclusive)
- WordPress sites running the vulnerable plugin
Discovery Timeline
- 2025-01-24 - CVE-2025-23737 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23737
Vulnerability Analysis
The vulnerability is a reflected XSS condition mapped to [CWE-79]. The Network-Favorites plugin reflects user-supplied input back into HTTP responses without proper output encoding or input sanitization. When a user visits a crafted URL, the injected payload renders as executable script in the browser. Because the attack scope changes (CVSS Scope: Changed), the injected script can affect resources beyond the vulnerable component, including the surrounding WordPress site context. The EPSS score is 0.187% (40.1 percentile), indicating low predicted exploitation activity at this time.
Root Cause
The root cause is missing input validation and output encoding on request parameters processed by the plugin. User input enters an HTTP response without HTML entity encoding or contextual escaping. WordPress provides helper functions such as esc_html(), esc_attr(), and wp_kses() for safe output, but the plugin fails to apply them on the affected sink before echoing data into the page.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL containing a JavaScript payload in a vulnerable parameter handled by the plugin. The attacker delivers the URL through phishing emails, malicious comments, or social platforms. When the victim opens the link on a site running Network-Favorites 1.1 or earlier, the browser parses and executes the injected script in the WordPress origin. The script can steal cookies, read the Document Object Model (DOM), perform Cross-Site Request Forgery (CSRF) actions, or pivot to administrative functions if the victim is logged in as an administrator.
No verified public proof-of-concept code is available. Refer to the Patchstack Security Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-23737
Indicators of Compromise
- HTTP request logs containing URL parameters with <script>, javascript:, onerror=, or onload= payloads targeting Network-Favorites endpoints.
- Outbound requests from browsers to attacker-controlled domains immediately after visiting plugin URLs.
- Unexpected administrative actions in WordPress audit logs originating from authenticated administrator sessions.
Detection Strategies
- Inspect web server access logs for encoded XSS payloads such as %3Cscript%3E or %3Cimg%20src%3D in query strings targeting Network-Favorites pages.
- Deploy a Web Application Firewall (WAF) with OWASP Core Rule Set signatures for reflected XSS patterns.
- Run authenticated vulnerability scans against WordPress installations to enumerate the Network-Favorites plugin and its version.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform for correlation and alerting on XSS payload patterns.
- Alert on Content Security Policy (CSP) violation reports indicating inline script execution from unexpected sources.
- Monitor administrator session activity for anomalous behavior such as new user creation or plugin installation following a suspicious link click.
How to Mitigate CVE-2025-23737
Immediate Actions Required
- Identify WordPress sites running the Network-Favorites plugin and confirm the installed version.
- Deactivate and remove Network-Favorites version 1.1 and earlier until a patched release is verified.
- Enforce a strict Content Security Policy that blocks inline script execution and restricts script sources.
- Require administrators to re-authenticate and rotate session cookies and passwords if exploitation is suspected.
Patch Information
No fixed version is identified in the available advisory data. The vulnerability affects Network-Favorites up to and including version 1.1. Site operators should monitor the Patchstack advisory and the official WordPress plugin repository for a patched release. Until then, removal of the plugin is the recommended mitigation.
Workarounds
- Uninstall the Network-Favorites plugin entirely if business requirements allow.
- Deploy a WAF rule that blocks requests containing script tags or JavaScript event handlers in query parameters destined for plugin endpoints.
- Train administrators to avoid clicking unsolicited links to their own WordPress site and to use separate browsers or sessions for administrative work.
- Enable HTTP-only and SameSite cookie attributes to limit script access to session cookies.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
