CVE-2025-23719

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget zhina-twitter-widget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through <= 1.0.

Analysis

Reflected cross-site scripting (XSS) in ZhinaTwitterWidget WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. No public exploit code or active exploitation has been identified at the time of analysis.

Technical Context

ZhinaTwitterWidget is a WordPress plugin that integrates Twitter functionality into WordPress sites. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of XSS flaws where user-supplied input is reflected in HTTP responses without proper encoding or filtering. In this case, the plugin fails to sanitize query parameters or request data before rendering them in HTML output, allowing an attacker to inject arbitrary HTML and JavaScript. WordPress plugins are executed with the same privileges as the WordPress core, making XSS in plugins a direct pathway to session hijacking, credential theft, malware injection, or site defacement.

Affected Products

ZhinaTwitterWidget WordPress plugin version 1.0 and all earlier versions are affected. The plugin is distributed through WordPress.org plugin repository. Users running ZhinaTwitterWidget up to and including version 1.0 are vulnerable to reflected XSS attacks.

Remediation

Update ZhinaTwitterWidget to a patched version released after version 1.0. Refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/zhina-twitter-widget/vulnerability/wordpress-zhinatwitterwidget-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability for the latest patched release and advisory details. If an updated version is not yet available, disable or remove the plugin from WordPress installations until a security update is released. As a temporary mitigation, restrict access to WordPress admin functions and educate users not to click on suspicious links containing unusual query parameters.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-23719 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy