CVE-2025-23510

CVE-2025-23510 is a Cross-Site Request Forgery (CSRF) vulnerability in the wordpress-logging-service WordPress plugin developed by Jan Štětina. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.5.4.

Attackers can exploit this vulnerability remotely over the network without authentication or privileges (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link or submitting a forged request. With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), exploitation allows low-level impacts on confidentiality, integrity, and availability across a changed scope, enabling attackers to trick authenticated users—likely administrators—into storing XSS payloads that execute in the context of subsequent page viewers.

Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wordpress-logging-service/vulnerability/wordpress-wordpress-logging-service-plugin-1-5-4-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve, which details the issue in the context of the plugin's 1.5.4 version. The vulnerability is associated with CWE-352.