CVE-2025-23436

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in capa Wp-Scribd-List wp-scribd-list allows Stored XSS.This issue affects Wp-Scribd-List: from n/a through <= 1.2.

Security Summary

CVE-2025-23436 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP-Scribd-List WordPress plugin (wp-scribd-list) that enables Stored XSS. This issue affects all versions of the plugin from n/a through 1.2 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and scope change.

Unauthenticated attackers can exploit the CSRF flaw over the network by tricking authenticated users into performing unintended actions via malicious requests, such as from a crafted webpage. This leads to Stored XSS execution in the context of the targeted site, with low impacts on confidentiality, integrity, and availability but elevated risk from the changed scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-scribd-list/vulnerability/wordpress-wp-scribd-list-plugin-1-2-csrf-to-xss-vulnerability?_s_id=cve) documents the CSRF-to-XSS vulnerability in WP-Scribd-List version 1.2 and provides associated details for mitigation.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/wp-scribd-list/vulnerability/wordpress-wp-scribd-list-plugin-1-2-csrf-to-xss-vulnerability?_s_id=cve
audit@patchstack.com