CVE-2025-23557

CVE-2025-23557 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Find Your Reps" (find-your-reps) developed by Kathleen Malone. This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.2.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and the need for user interaction, with a changed scope and low impacts on confidentiality, integrity, and availability. Any unauthenticated attacker can exploit it by tricking an authenticated user, such as an administrator, into performing a malicious request via a crafted webpage, resulting in the storage of XSS payloads that execute in the context of the plugin.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/find-your-reps/vulnerability/wordpress-find-your-reps-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve) documents this CSRF-to-Stored XSS issue in Find Your Reps version 1.2, recommending mitigation through updating the plugin to a version beyond 1.2 where the vulnerability is addressed.