CVE-2025-23463

CVE-2025-23463 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "MD Custom Content After or Before of Post" by Mukesh Dak, which allows for Stored XSS. The flaw affects all versions of the plugin up to and including 1.0, as there is no prior version specified. It is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability by tricking a legitimate user, such as an administrator with access to the plugin's settings, into visiting a malicious webpage or clicking a crafted link. This triggers a CSRF request that submits a payload to store an XSS script on the target WordPress site. Once stored, the XSS executes in the context of other site visitors or admins, potentially leading to session hijacking, data theft, or further site compromise.

Patchstack has published an advisory detailing the vulnerability at https://patchstack.com/database/Wordpress/Plugin/md-custom-content/vulnerability/wordpress-md-custom-content-after-or-before-of-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve, which security practitioners should consult for recommended mitigations, such as updating the plugin if a patched version is available or implementing CSRF protections.