CVE-2025-23435

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in marcucci Password Protect Plugin for WordPress password-protect-plugin-for-wordpress allows Stored XSS.This issue affects Password Protect Plugin for WordPress: from n/a through <= 0.8.1.0.

Security Summary

CVE-2025-23435 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the marcucci Password Protect Plugin for WordPress (password-protect-plugin-for-wordpress) that enables Stored XSS. The vulnerability affects all versions of the plugin from n/a through 0.8.1.0, as published on 2025-01-16.

Attackers with network access can exploit this vulnerability without privileges (PR:N) and with low attack complexity (AC:L), though it requires user interaction (UI:R). Exploitation changes the scope (S:C) and allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. This enables unauthenticated attackers to trick authenticated users into performing unintended actions via CSRF, resulting in persistent XSS payloads stored on the site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/password-protect-plugin-for-wordpress/vulnerability/wordpress-password-protect-plugin-for-wordpress-plugin-0-8-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve provides further details on the vulnerability.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/password-protect-plugin-for-wordpress/vulnerability/wordpress-password-protect-plugin-for-wordpress-plugin-0-8-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com