Skip to main content

Matamko En Masse CVE-2025-23707

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 16:39 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.

Technical ContextAI

The En Masse WordPress plugin fails to properly sanitize user-controlled input before rendering it in dynamically generated web pages, violating CWE-79 (Improper Neutralization of Input During Web Page Generation). This is a classic reflected XSS vulnerability where attacker-supplied parameters are echoed back to the user's browser without HTML encoding or content security controls. The vulnerability affects the plugin's core request handling mechanism, likely in URL parameters or form inputs that are directly rendered in page HTML without adequate encoding or validation filters.

Affected ProductsAI

En Masse WordPress plugin (matamko/en-masse-wp) versions 1.0 and earlier are affected. The plugin is distributed through the WordPress.org plugin repository and is identifiable via CPE context as a WordPress plugin component.

RemediationAI

Update the En Masse plugin to a version later than 1.0 if the vendor has released a patched version, or disable and remove the plugin if no patch is available. Input sanitization should be implemented by the plugin developer using WordPress security functions such as sanitize_text_field() and esc_attr() for user-supplied data rendered in HTML contexts. Site administrators using this plugin should review and apply any security updates from the vendor at https://patchstack.com/database/Wordpress/Plugin/en-masse-wp/vulnerability/wordpress-en-masse-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability, and consider temporarily disabling the plugin if updates are unavailable. Content Security Policy headers may provide additional mitigation for reflected XSS attacks.

Share

CVE-2025-23707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy