The vulnerability CVE-2025-23620 in trof Captchelfie – Captcha by Selfie (versions ≤ 1.0.7) is a reflected Cross-site Scripting (XSS) flaw caused by improper neutralization of input during web page generation. This allows attackers to inject malicious scripts that execute in the victim's browser when they interact with crafted URLs or inputs. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at low levels. The vulnerability is published but no patch or mitigation details are provided by the vendor. The product is not a cloud service, so remediation depends on vendor patch releases.

Successful exploitation of this reflected XSS vulnerability can allow attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability at a limited level. The CVSS score reflects these impacts as low but present. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or restricting use of the affected plugin to mitigate risk. Monitor official vendor channels for updates and apply any official fixes promptly once released.