CVE-2025-23731: 
WordPress vulnerability analysis and mitigation

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability was discovered in infosoftplugin Tax Report for WooCommerce plugin versions through 2.2. The vulnerability allows attackers to perform Reflected Cross-Site Scripting attacks (Wordfence, Patchstack).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS score of 7.1 (Medium). The vulnerability affects all versions of Tax Report for WooCommerce plugin up to and including version 2.2. The security flaw allows unauthenticated attackers to inject malicious scripts into the web application (Patchstack).

If successfully exploited, this vulnerability could allow malicious actors to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

Currently, there is no official fix available from the vendor. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Users are advised to implement the virtual patch immediately to protect their websites (Patchstack).