CVE-2025-23537

CVE-2025-23537 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "add custom google tag manager" from developer קידום ובניית אתרים, affecting all versions from n/a through 1.0.3. The flaw, classified under CWE-352, enables Stored Cross-Site Scripting (XSS) when exploited via CSRF. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network-accessible exploitation with low complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

Remote attackers require no authentication privileges but need to lure a targeted user, such as a site administrator, into interacting with a malicious resource like a crafted webpage or link. This triggers an unintended CSRF request to the plugin, allowing injection of malicious payloads that result in stored XSS. Successful exploitation executes arbitrary scripts in the context of the WordPress site, potentially compromising visitor sessions, stealing data, or performing other malicious actions with low-level impacts due to the changed scope.

The Patchstack advisory provides further details on this vulnerability, including potential mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/add-custom-google-tag-manager/vulnerability/wordpress-add-custom-google-tag-manager-plugin-1-0-3-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve.