CVE-2025-23502

CVE-2025-23502 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ned Curated Search WordPress plugin, also known as curated-search, that enables Stored Cross-Site Scripting (XSS). This issue affects all versions from n/a through 1.2 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker over the network who tricks a victim user—typically an authenticated site administrator—into interacting with a malicious request, such as clicking a crafted link or loading a malicious webpage. Successful exploitation via CSRF allows the attacker to store arbitrary JavaScript on the site, which then executes in the context of other users viewing the affected content, potentially leading to session hijacking, data theft, or further site compromise.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/curated-search/vulnerability/wordpress-curated-search-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve, which covers the WordPress Curated Search plugin vulnerability.