CVE-2025-23667
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christopher Churchill custom-post-edit front-end-post-edit allows Reflected XSS.This issue affects custom-post-edit: from n/a through <= 1.0.4.
Analysis
Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.
Technical Context
The vulnerability is a reflected cross-site scripting (CWE-79) flaw in the Christopher Churchill custom-post-edit WordPress plugin (CPE: affected versions through 1.0.4). Reflected XSS occurs when user-supplied input is echoed back to the user in HTTP responses without proper sanitization or encoding. In WordPress plugins, this typically involves URL parameters or form inputs that are directly rendered in HTML output without escaping functions like esc_html(), esc_attr(), or esc_js(). The front-end-post-edit plugin likely processes user input for post editing functionality on the website frontend, and fails to properly neutralize malicious characters or scripts that could be executed in a victim's browser when they follow a specially crafted link.
Affected Products
The front-end-post-edit WordPress plugin by Christopher Churchill is affected in all versions from initial release through version 1.0.4. The plugin enables frontend post editing functionality for WordPress users. More specific version-range information and CPE identification details are available in the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Remediation
Update the front-end-post-edit plugin to a patched version released after 1.0.4 (exact version number not provided in available data; consult Patchstack database or the plugin's official WordPress repository for the latest version). Organizations unable to immediately upgrade should disable the plugin until a patch is available. The primary remediation is to apply vendor-released patches as they become available, which should include proper input validation and output escaping throughout the plugin's front-end post-editing workflow. Refer to the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/front-end-post-edit/vulnerability/wordpress-custom-post-edit-plugin-1-0-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for the latest patch status and alternative workarounds if available from the plugin maintainer.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today