Random Posts, Mp3 Player + ShareButton CVE-2025-23744
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dvs11 Random Posts, Mp3 Player + ShareButton allows Reflected XSS. This issue affects Random Posts, Mp3 Player + ShareButton: from n/a through 1.4.1.
AnalysisAI
Reflected cross-site scripting (XSS) in Random Posts, Mp3 Player + ShareButton WordPress plugin through version 1.4.1 allows remote attackers to inject malicious scripts that execute in victim browsers with changed security context (scope change indicated in CVSS). Discovered by Patchstack security audit team. EPSS score of 0.08% (23rd percentile) indicates low current exploitation probability in the wild, and no active exploitation confirmed by CISA KEV. No public exploit code identified at time of analysis, though XSS vulnerabilities typically have low weaponization barriers.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in a WordPress plugin that combines random post display, MP3 playback, and social sharing functionality. The flaw stems from improper neutralization of user-supplied input during HTML generation, allowing attackers to inject arbitrary JavaScript or HTML. The CVSS scope change (S:C) from Unchanged to Changed indicates the vulnerability can affect resources beyond the plugin's own security scope, meaning injected scripts execute in the victim's WordPress session context with access to cookies, session tokens, and other site data. Reflected XSS requires the payload to be delivered via crafted URL or form submission rather than being persistently stored in the database, distinguishing it from stored XSS variants.
Affected ProductsAI
The vulnerability affects dvs11 Random Posts, Mp3 Player + ShareButton WordPress plugin versions from initial release through version 1.4.1 inclusive. All installations running version 1.4.1 or earlier are vulnerable regardless of WordPress core version or server configuration. The plugin provides functionality for displaying random posts, embedding MP3 audio players, and adding social media share buttons to WordPress sites. Vendor details and specific CPE identifiers were not provided in available data sources. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/random-posts-mp3-player-sharebutton/vulnerability/wordpress-random-posts-mp3-player-sharebutton-plugin-1-4-1-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Primary remediation requires updating to a patched version newer than 1.4.1, though the exact fixed version number is not confirmed in available data sources. Check the WordPress plugin repository or contact plugin author dvs11 for the latest security-patched release. As interim mitigation if no patch is available or immediate update is not feasible, implement Web Application Firewall (WAF) rules to filter XSS patterns in GET/POST parameters specific to this plugin's endpoints, though this may interfere with legitimate plugin functionality involving special characters. Consider temporarily deactivating the plugin if random posts, MP3 player, and share button features are non-critical to site operations - this eliminates the attack surface entirely but removes all plugin functionality. Restrict WordPress admin access to trusted IP addresses and enforce multi-factor authentication to limit impact if XSS successfully targets administrator sessions. Review Patchstack advisory for additional details at https://patchstack.com/database/wordpress/plugin/random-posts-mp3-player-sharebutton/vulnerability/wordpress-random-posts-mp3-player-sharebutton-plugin-1-4-1-reflected-cross-site-scripting-xss-vulnerability. Note that WAF-based mitigation may generate false positives on legitimate user input containing HTML-like syntax.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today