CVE-2025-23455

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 33.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Master Software Solutions WP VTiger Synchronization msstiger allows Stored XSS.This issue affects WP VTiger Synchronization: from n/a through <= 1.1.1.

Security Summary

CVE-2025-23455 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP VTiger Synchronization plugin (msstiger) developed by Master Software Solutions. This flaw enables Stored XSS and affects all versions of the plugin from its initial release through 1.1.1. The vulnerability was published on 2025-01-16 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by tricking authenticated users into interacting with malicious content, such as visiting a crafted webpage. Exploitation via CSRF allows attackers to submit unauthorized requests that result in Stored XSS, achieving low impacts on confidentiality, integrity, and availability with a changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/msstiger/vulnerability/wordpress-wp-vtiger-synchronization-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/msstiger/vulnerability/wordpress-wp-vtiger-synchronization-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com