Skip to main content

Proloy Chakroborty ZD Scribd CVE-2025-23757

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Dec 31, 2025 - 20:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proloy Chakroborty ZD Scribd iPaper zd-scribd-ipaper allows Reflected XSS.This issue affects ZD Scribd iPaper: from n/a through <= 1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.

Technical ContextAI

The vulnerability is a reflected XSS flaw in the ZD Scribd iPaper WordPress plugin, a component designed to embed Scribd documents via the iFrame Paper viewer. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is not properly sanitized or encoded before being rendered in HTML output. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when they visit a specially crafted URL. WordPress plugins are typically subject to nonce and capability checks, but improper neutralization in query parameters or request data can bypass intended protections, allowing reflected payloads to execute without authentication.

Affected ProductsAI

ZD Scribd iPaper WordPress plugin version 1.0 and earlier is affected. The plugin, developed by Proloy Chakroborty, provides integration with Scribd document embedding via iFrame Paper. All versions up to and including 1.0 are vulnerable to reflected XSS. Users running this plugin on any WordPress installation should assess their usage and apply available patches. Additional CPE or version details are available in the Patchstack vulnerability database referenced in the advisory.

RemediationAI

Update ZD Scribd iPaper to a patched version if available from the plugin developer or WordPress.org plugin repository. Check the Patchstack database (https://patchstack.com/database/Wordpress/Plugin/zd-scribd-ipaper/vulnerability/wordpress-zd-scribd-ipaper-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the specific fixed version number and installation instructions. If no patched version is currently available, disable or remove the plugin until a fix is released. Implement WordPress security measures such as Web Application Firewall (WAF) rules to detect and block reflected XSS payloads, use security plugins to monitor for unusual script injection attempts, and educate users not to click suspicious links referencing your site. Content Security Policy (CSP) headers can provide additional mitigation by restricting inline script execution.

Share

CVE-2025-23757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy