CVE-2025-22658
Published: 27 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-22658 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Listings for Appfolio (listings-for-appfolio) that allows Stored XSS. The issue affects all versions of the plugin up to and including 1.2.0.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Any unauthenticated attacker can exploit it by tricking an authenticated user into performing a state-changing action via a forged request, resulting in Stored XSS execution in the context of the WordPress site.
Patchstack has documented the vulnerability in its database, detailing the CSRF-to-Stored XSS issue in Listings for Appfolio version 1.2.0. Practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/listings-for-appfolio/vulnerability/wordpress-listings-for-appfolio-plugin-1-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve for recommended mitigations and any available patches.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a CSRF leading to Stored XSS in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190). The Stored XSS payload allows arbitrary JavaScript execution in the browser context of authenticated users (T1059.007).