CVE-2025-23566

CVE-2025-23566 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Custom Post Type GUI (custom-post-type-gui) developed by syedamirhussain91. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.0. The issue is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users—typically site administrators—into visiting a malicious webpage or clicking a crafted link. This user interaction triggers a forged request to the vulnerable plugin endpoint, allowing the attacker to inject and store malicious XSS payloads without direct authentication. Successful exploitation results in persistent XSS, where the payload executes in the browsers of subsequent users viewing affected content, potentially enabling session hijacking, data theft, or further site compromise.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-post-type-gui/vulnerability/wordpress-custom-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve, which documents the vulnerability in the Custom Post plugin version 1.0. Security practitioners should update to a patched version if available or disable the plugin pending remediation.