CVE-2025-23558

CVE-2025-23558 is a Cross-Site Request Forgery (CSRF) vulnerability in the Geotagged Media WordPress plugin developed by digitalfisherman, which enables Stored Cross-Site Scripting (XSS). The flaw affects all versions of the geotagged-media plugin from unknown initial release through version 0.3.0 inclusive. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

The vulnerability can be exploited by remote attackers with no required privileges through network-accessible vectors of low complexity, though it requires user interaction. By crafting malicious requests, attackers can trick authenticated users—such as site administrators—into inadvertently storing XSS payloads via CSRF, which then execute in the context of the affected site for other users. This achieves low impacts on confidentiality, integrity, and availability but with a changed scope.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/geotagged-media/vulnerability/wordpress-geotagged-media-plugin-0-3-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the issue and should be consulted for detailed mitigation steps, such as applying available plugin updates beyond version 0.3.0.