Skip to main content

Christopher Churchill CVE-2025-23667

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill custom-post-edit front-end-post-edit allows Reflected XSS.This issue affects custom-post-edit: from n/a through <= 1.0.4.

AnalysisAI

Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.

Technical ContextAI

The vulnerability is a reflected cross-site scripting (CWE-79) flaw in the Christopher Churchill custom-post-edit WordPress plugin (CPE: affected versions through 1.0.4). Reflected XSS occurs when user-supplied input is echoed back to the user in HTTP responses without proper sanitization or encoding. In WordPress plugins, this typically involves URL parameters or form inputs that are directly rendered in HTML output without escaping functions like esc_html(), esc_attr(), or esc_js(). The front-end-post-edit plugin likely processes user input for post editing functionality on the website frontend, and fails to properly neutralize malicious characters or scripts that could be executed in a victim's browser when they follow a specially crafted link.

Affected ProductsAI

The front-end-post-edit WordPress plugin by Christopher Churchill is affected in all versions from initial release through version 1.0.4. The plugin enables frontend post editing functionality for WordPress users. More specific version-range information and CPE identification details are available in the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

RemediationAI

Update the front-end-post-edit plugin to a patched version released after 1.0.4 (exact version number not provided in available data; consult Patchstack database or the plugin's official WordPress repository for the latest version). Organizations unable to immediately upgrade should disable the plugin until a patch is available. The primary remediation is to apply vendor-released patches as they become available, which should include proper input validation and output escaping throughout the plugin's front-end post-editing workflow. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the latest patch status and alternative workarounds if available from the plugin maintainer.

Share

CVE-2025-23667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy