CVE-2025-23757
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper zd-scribd-ipaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through <= 1.0.
Analysis
Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.
Technical Context
The vulnerability is a reflected XSS flaw in the ZD Scribd iPaper WordPress plugin, a component designed to embed Scribd documents via the iFrame Paper viewer. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized or encoded before being rendered in HTML output. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when they visit a specially crafted URL. WordPress plugins are typically subject to nonce and capability checks, but improper neutralization in query parameters or request data can bypass intended protections, allowing reflected payloads to execute without authentication.
Affected Products
ZD Scribd iPaper WordPress plugin version 1.0 and earlier is affected. The plugin, developed by Proloy Chakroborty, provides integration with Scribd document embedding via iFrame Paper. All versions up to and including 1.0 are vulnerable to reflected XSS. Users running this plugin on any WordPress installation should assess their usage and apply available patches. Additional CPE or version details are available in the Patchstack vulnerability database referenced in the advisory.
Remediation
Update ZD Scribd iPaper to a patched version if available from the plugin developer or WordPress.org plugin repository. Check the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/zd-scribd-ipaper/vulnerability/wordpress-zd-scribd-ipaper-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the specific fixed version number and installation instructions. If no patched version is currently available, disable or remove the plugin until a fix is released. Implement WordPress security measures such as Web Application Firewall (WAF) rules to detect and block reflected XSS payloads, use security plugins to monitor for unusual script injection attempts, and educate users not to click suspicious links referencing your site. Content Security Policy (CSP) headers can provide additional mitigation by restricting inline script execution.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today