CVE-2025-23975: 
WordPress vulnerability analysis and mitigation

The Botnet Attack Blocker WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 2.0.0. The vulnerability was discovered on January 31, 2025, and was assigned CVE-2025-23975. This security issue affects authenticated users with Subscriber-level access and above (WPScan, Patchstack).

The vulnerability is classified as a CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has received a CVSS v3.1 base score of 6.5 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping, allowing authenticated users to inject malicious web scripts (NVD, Patchstack).

When exploited, this vulnerability allows attackers to inject arbitrary web scripts that will execute whenever a user accesses an injected page. This could enable malicious actors to inject redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site (Patchstack).

Currently, there is no official fix available from the vendor. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately (Patchstack).