CVE-2025-23469

2025-12-30 [email protected]
XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 30, 2025 - 00:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sleekplan Sleekplan sleekplan allows Reflected XSS.This issue affects Sleekplan: from n/a through <= 0.2.0.

AnalysisAI

Reflected XSS in Sleekplan WordPress plugin through version 0.2.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No active exploitation has been confirmed, but the attack vector is network-based with low complexity.

Technical ContextAI

The Sleekplan WordPress plugin fails to properly sanitize and validate user-supplied input before rendering it in HTML responses, creating a Reflected XSS vulnerability classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). This type of flaw occurs when untrusted data is reflected directly into the response without encoding or filtering, allowing attackers to inject arbitrary JavaScript that executes in the victim's browser within the security context of the WordPress site. The vulnerability affects the plugin at version 0.2.0 and earlier, suggesting the input validation weakness exists across multiple functions or endpoints in the plugin's codebase.

Affected ProductsAI

Sleekplan WordPress plugin version 0.2.0 and all earlier versions are affected. The plugin is distributed through the WordPress.org plugin repository and identified via the Patchstack vulnerability database. No specific CPE string is provided in the input data; however, the vulnerability report originates from Patchstack's WordPress plugin security scanning, indicating the affected software is the sleekplan plugin for WordPress.

RemediationAI

Update the Sleekplan plugin to a version newer than 0.2.0 immediately; consult the official WordPress plugin repository or the vendor's update mechanism for the latest patched release. Until an update is available, disable or remove the Sleekplan plugin from production environments to eliminate the attack surface. Additionally, implement Web Application Firewall (WAF) rules to filter malicious payloads in query parameters and POST data targeting the plugin's endpoints, and educate users to avoid clicking suspicious links that reference the site. For technical details and confirmation of available patches, refer to the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/sleekplan/vulnerability/wordpress-sleekplan-plugin-0-2-0-reflected-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-23469 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy