CVE-2025-23888: WordPress Custom Page Extensions Plugin <= 0.6 - Cross Site Scripting (XSS) vulnerability
First published: Fri Jan 24 2025(Updated: )
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Custom Page Extensions allows Reflected XSS. This issue affects Custom Page Extensions: from n/a through 0.6.
Credit: audit@patchstack.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress Custom Page Extensions Plugin | <=0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-23888?
CVE-2025-23888 is classified as a reflected Cross-site Scripting (XSS) vulnerability.
How do I fix CVE-2025-23888?
To fix CVE-2025-23888, update the NotFound Custom Page Extensions to version 0.7 or later.
Which versions of Custom Page Extensions are affected by CVE-2025-23888?
CVE-2025-23888 affects Custom Page Extensions versions from n/a up to and including version 0.6.
What type of attack can be performed due to CVE-2025-23888?
CVE-2025-23888 allows attackers to execute reflected Cross-site Scripting (XSS) attacks.
Is the NotFound Custom Page Extensions Plugin still maintained?
As of now, it is essential to check the latest updates from the vendor regarding the maintenance status of the NotFound Custom Page Extensions Plugin.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/type
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/author
- agent/event
- agent/source
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/wordpress custom page extensions plugin