CVE-2025-23578 is a reflected Cross-site Scripting (XSS) vulnerability identified in the Bastien Ho Custom CSS Addons plugin, specifically affecting versions up to and including 1.9.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is reflected back to users without adequate sanitization or encoding. This flaw enables attackers to craft malicious URLs or input fields that, when visited or submitted by unsuspecting users, execute arbitrary scripts within the victim's browser context. Such scripts can hijack user sessions, steal cookies, perform unauthorized actions on behalf of the user, or redirect users to malicious sites. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction to trigger the exploit. Although no public exploits have been reported yet, the widespread use of the plugin in WordPress environments makes it a significant concern. The lack of a CVSS score indicates that the vulnerability is newly disclosed, and patching information is not yet available. The vulnerability was reserved and published in January 2025, with Patchstack as the assigner. The absence of patches or mitigations in the provided data highlights the need for immediate attention from administrators using this plugin.

The impact of CVE-2025-23578 is primarily on the confidentiality and integrity of user data within affected web applications. Successful exploitation allows attackers to execute arbitrary scripts in the context of users' browsers, potentially leading to session hijacking, theft of sensitive information such as authentication tokens or personal data, and unauthorized actions performed on behalf of users. This can undermine user trust and lead to reputational damage for organizations. Additionally, attackers could use the vulnerability as a foothold for further attacks, including phishing or malware distribution. Since the vulnerability is reflected XSS, it requires user interaction, which may limit mass exploitation but still poses a significant risk, especially for high-traffic websites. Organizations relying on the Bastien Ho Custom CSS Addons plugin in their WordPress sites are at risk of compromise, which could affect e-commerce platforms, content management systems, and other web services. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

To mitigate CVE-2025-23578, organizations should: 1) Monitor for and apply security patches or updates from the Bastien Ho Custom CSS Addons plugin vendor as soon as they are released. 2) Implement strict input validation and output encoding on all user-supplied data to prevent injection of malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4) Use Web Application Firewalls (WAFs) configured to detect and block reflected XSS attack patterns targeting the plugin. 5) Educate users about the risks of clicking on suspicious links, especially those received via email or untrusted sources. 6) Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 7) Consider temporarily disabling or replacing the plugin if immediate patching is not feasible, especially on high-risk or public-facing sites. These measures collectively reduce the attack surface and help protect users from exploitation.