CVE-2025-23707
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0.
Analysis
Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.
Technical Context
The En Masse WordPress plugin fails to properly sanitize user-controlled input before rendering it in dynamically generated web pages, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). This is a classic reflected XSS vulnerability where attacker-supplied parameters are echoed back to the user's browser without HTML encoding or content security controls. The vulnerability affects the plugin's core request handling mechanism, likely in URL parameters or form inputs that are directly rendered in page HTML without adequate encoding or validation filters.
Affected Products
En Masse WordPress plugin (matamko/en-masse-wp) versions 1.0 and earlier are affected. The plugin is distributed through the WordPress.org plugin repository and is identifiable via CPE context as a WordPress plugin component.
Remediation
Update the En Masse plugin to a version later than 1.0 if the vendor has released a patched version, or disable and remove the plugin if no patch is available. Input sanitization should be implemented by the plugin developer using WordPress security functions such as sanitize_text_field() and esc_attr() for user-supplied data rendered in HTML contexts. Site administrators using this plugin should review and apply any security updates from the vendor at https://patchstack.com/database/Wordpress/Plugin/en-masse-wp/vulnerability/wordpress-en-masse-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability, and consider temporarily disabling the plugin if updates are unavailable. Content Security Policy headers may provide additional mitigation for reflected XSS attacks.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today