CVE-2025-22520

CVE-2025-22520 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Tock Widget WordPress plugin (tock-widget). This issue affects all versions from unknown initial release through 1.1 inclusive. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this CSRF vulnerability remotely by tricking authenticated users into performing unintended actions via malicious requests, such as through a crafted webpage. Exploitation requires user interaction, like visiting a malicious site while logged into a vulnerable WordPress site with the plugin active. Successful exploitation can result in low-level impacts on confidentiality, integrity, and availability, with the Patchstack reference specifically noting that it enables CSRF leading to stored XSS.

The Patchstack advisory provides details on this vulnerability, including assessment and potential mitigation steps, accessible at https://patchstack.com/database/Wordpress/Plugin/tock-widget/vulnerability/wordpress-tock-widget-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing CSRF protections.