CVE-2025-23608

2025-12-31 [email protected]
XSS Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 31, 2025 - 18:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Omar Mohamed Mohamoud LIVE TV live-tv allows Reflected XSS.This issue affects LIVE TV: from n/a through <= 1.2.

AnalysisAI

Reflected cross-site scripting (XSS) in the LIVE TV WordPress plugin version 1.2 and below allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists due to improper neutralization of user input during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No active exploitation has been confirmed, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the XSS vector.

Technical ContextAI

The LIVE TV WordPress plugin fails to properly sanitize and escape user-supplied input before rendering it in dynamically generated web pages. This is a classic reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation), where unsanitized query parameters or form inputs are echoed directly into the HTML response without encoding. WordPress plugins are server-side PHP applications that process HTTP requests; reflected XSS occurs when attacker-controlled data flows from the request into the response without proper context-aware output encoding. The affected product is identified by CPE context as a WordPress plugin distributed through the official WordPress plugin repository, making it accessible to any WordPress installation with the plugin installed and active.

Affected ProductsAI

The LIVE TV WordPress plugin (authored by Omar Mohamed Mohamoud) is affected in versions 1.2 and below. The plugin is distributed through the official WordPress plugin repository and installed on any WordPress site that has explicitly activated it. The Patchstack reference (https://patchstack.com/database/Wordpress/Plugin/live-tv/vulnerability/wordpress-live-tv-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) provides detailed vulnerability and remediation tracking.

RemediationAI

Update the LIVE TV plugin to version 1.3 or later, which should contain the XSS input sanitization fixes. Users can update through the WordPress plugin dashboard (Plugins > Installed Plugins > LIVE TV > Update), or via command line using wp plugin update live-tv. As an interim workaround pending update deployment, disable the LIVE TV plugin if it is not actively required, or restrict access to the WordPress admin interface and the pages served by the plugin to trusted IP ranges. For detailed patch information and validation, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/live-tv/vulnerability/wordpress-live-tv-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2025-23608 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy