CVE-2025-23867 identifies a reflected Cross-site Scripting (XSS) vulnerability in the WordPress File Search plugin by markcoker, specifically affecting versions up to 1.2. The vulnerability stems from improper neutralization of input during web page generation, which allows attackers to inject malicious JavaScript code into web pages dynamically generated by the plugin. When a victim visits a crafted URL containing malicious payloads, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. This reflected XSS does not require prior authentication, increasing its risk profile as attackers can exploit it via phishing or social engineering. The plugin is used within WordPress, a widely deployed content management system, increasing the scope of affected systems globally. Although no public exploits have been reported yet, the vulnerability is published and known, which may lead to future exploitation attempts. The lack of a CVSS score indicates the need for a manual severity assessment. The vulnerability affects the confidentiality and integrity of data processed by affected websites and can also impact availability if used in combination with other attacks. The plugin’s market penetration and WordPress’s global popularity make this a relevant threat for many organizations running WordPress sites with this plugin installed.

The primary impact of this vulnerability is the compromise of user trust and data confidentiality through the execution of malicious scripts in users’ browsers. Attackers can steal session cookies, enabling account takeover, or perform actions on behalf of authenticated users, potentially leading to data manipulation or unauthorized transactions. Website defacement or redirection to malicious sites can damage organizational reputation and user confidence. For organizations relying on WordPress File Search, this vulnerability could lead to data breaches, regulatory non-compliance, and financial losses due to fraud or remediation costs. The ease of exploitation without authentication and the widespread use of WordPress amplify the risk. Additionally, attackers may leverage this vulnerability as part of multi-stage attacks, combining it with phishing or malware distribution campaigns. The absence of known exploits currently provides a window for proactive mitigation, but the threat landscape could evolve rapidly.

Organizations should immediately assess their WordPress installations for the presence of the markcoker WordPress File Search plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate exposure. Implementing Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the plugin’s endpoints can reduce risk. Employing strict Content Security Policies (CSP) can limit the execution of unauthorized scripts in browsers. Input validation and output encoding should be enforced at the application level if custom modifications are possible. Monitoring web server logs for suspicious query parameters or unusual traffic patterns can help detect exploitation attempts. Educating users about phishing risks and suspicious links can reduce successful exploitation via social engineering. Once a patch is available, prompt application of updates is critical. Additionally, regular security audits and vulnerability scanning should be part of ongoing security hygiene.