CVE-2025-23928: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Google Org Chart WordPress plugin, identified as CVE-2025-23928. The vulnerability affects versions up to and including 1.0.1 of the plugin, which was disclosed on January 16, 2025. The issue stems from improper neutralization of input during web page generation, allowing authenticated users with Contributor-level access or higher to inject malicious scripts (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and requires authenticated access with Contributor-level privileges or higher to exploit (NVD).

If successfully exploited, this vulnerability allows attackers to inject malicious scripts that can execute when users visit the affected pages. These scripts could be used to implement redirects, inject unwanted advertisements, or execute other arbitrary HTML payloads in the context of visitors' browsers (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. The issue affects all versions up to and including 1.0.1 of the Google Org Chart plugin (Patchstack).