CVE-2025-23446

CVE-2025-23446 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP SpaceContent WordPress plugin (wp-spacecontent) developed by KokoenDE that enables Stored Cross-Site Scripting (XSS). Published on 2025-03-03, it affects all versions from n/a through 0.4.5 and is associated with CWE-352. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker on the network can exploit this by crafting a malicious webpage that, when visited by an authenticated user (such as an administrator) with user interaction, triggers a CSRF request to inject malicious scripts into the plugin's content. The stored XSS payload then executes in the context of the WordPress site for subsequent users viewing the affected content, achieving low impacts to confidentiality, integrity, and availability with a changed scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-spacecontent/vulnerability/wordpress-wp-spacecontent-plugin-0-4-5-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability specifically in WP SpaceContent version 0.4.5.