CVE-2025-23567

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 28.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Tamer Ziady GDReseller gdreseller allows Stored XSS.This issue affects GDReseller: from n/a through <= 1.6.

Security Summary

CVE-2025-23567 is a Cross-Site Request Forgery (CSRF) vulnerability in the GDReseller WordPress plugin developed by Tamer Ziady, which enables Stored XSS. The flaw affects GDReseller versions from unknown initial release through 1.6 inclusive, as documented under CWE-352. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking authenticated users into interacting with a malicious site (UI:R), such as via a crafted link. This submits a CSRF request that stores an XSS payload on the server. When other users, including admins, view the affected content, the payload executes in an elevated scope (S:C), potentially enabling session hijacking, data theft, or further site compromise, though impacts remain low across confidentiality, integrity, and availability.

The Patchstack advisory provides details on this vulnerability, including patch information for the affected WordPress plugin, accessible at https://patchstack.com/database/Wordpress/Plugin/gdreseller/vulnerability/wordpress-gdreseller-plugin-1-6-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/gdreseller/vulnerability/wordpress-gdreseller-plugin-1-6-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com