CVE-2025-23577

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 28.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3.

Security Summary

CVE-2025-23577 is a Cross-Site Request Forgery (CSRF) vulnerability in the Word Freshener WordPress plugin developed by Sourov Amin, which enables Stored XSS. The flaw affects the plugin from unknown initial versions through version 1.3 inclusive, as documented under CWE-352.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) such as tricking an authenticated administrator into visiting a malicious site or clicking a forged link. Successful exploitation changes scope (S:C) and allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1, primarily through the injection and persistence of XSS payloads via CSRF-protected administrative actions.

Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve, which details the vulnerability in the WordPress Word Freshener plugin version 1.3.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com