CVE-2025-23569

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Kelvin Ng Shortcode in Comment shortcode-in-comment allows Stored XSS.This issue affects Shortcode in Comment: from n/a through <= 1.1.1.

Security Summary

CVE-2025-23569 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Kelvin Ng Shortcode in Comment WordPress plugin (shortcode-in-comment) that allows Stored XSS. The issue affects all versions from n/a through 1.1.1 and was published on 2025-01-16. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), rated as High severity.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity by tricking authenticated users into performing actions via a forged request, as user interaction is required. Successful exploitation changes scope and enables stored XSS, allowing limited impacts to confidentiality, integrity, and availability through persistent script injection in comments.

The Patchstack advisory provides further details on this vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/shortcode-in-comment/vulnerability/wordpress-shortcode-in-comment-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/shortcode-in-comment/vulnerability/wordpress-shortcode-in-comment-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com