CVE-2025-23442

CVE-2025-23442 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Shockingly Big IE6 Warning (shockingly-big-ie6-warning) developed by mschertel. The flaw enables Stored XSS and affects all versions of the plugin from its initial release through 1.6.3. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, and changed scope with low impacts on confidentiality, integrity, and availability.

Attackers without privileges can exploit this vulnerability by tricking authenticated users, typically administrators, into visiting a malicious webpage that forges a request to the vulnerable plugin endpoint. This CSRF action injects and stores an XSS payload, which then executes in the context of other site visitors, potentially leading to session hijacking, data theft, or further site compromise depending on the payload.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/shockingly-big-ie6-warning/vulnerability/wordpress-shockingly-big-ie6-warning-plugin-1-6-3-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the issue and provides details on the CSRF-to-Stored XSS chain in version 1.6.3. Security practitioners should consult this reference for specific patch information or mitigation guidance, such as updating to a fixed version if available or implementing CSRF tokens.