CVE-2025-23460: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WordPress RWS Enquiry And Lead Follow-up plugin, identified as CVE-2025-23460. The vulnerability affects versions up to and including 1.0 of the plugin. The issue was discovered by security researcher Kévin Mosbahi (Mika) and was publicly disclosed on March 18, 2025 (WPScan).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue stems from insufficient input sanitization and output escaping in the plugin's web page generation process (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users interact with malicious content, such as clicking on a specially crafted link (WPScan).

As of the vulnerability disclosure, there is no known fix available for this security issue. Users of the RWS Enquiry And Lead Follow-up plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).