CVE-2025-23572

CVE-2025-23572 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin UpDownUpDown postcomment-voting developed by Dave Konopka. The flaw affects all versions of the plugin from n/a through 1.1 inclusive and enables Stored XSS. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

The vulnerability can be exploited by unauthenticated attackers accessible over the network with low attack complexity, though it requires user interaction such as clicking a malicious link. By tricking a victim into submitting a forged request, an attacker can inject malicious payloads that result in Stored XSS, persisting the script on the site and potentially executing in the context of other users viewing affected pages, with cross-origin scope change enabling low-level impacts on confidentiality, integrity, and availability.

Mitigation details are documented in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/updownupdown-postcomment-voting/vulnerability/wordpress-updownupdown-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for patch availability and remediation steps specific to the affected plugin versions.