CVE-2025-23617

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in cybio Floatbox Plus floatbox-plus allows Stored XSS.This issue affects Floatbox Plus: from n/a through <= 1.4.4.

Security Summary

CVE-2025-23617 is a Cross-Site Request Forgery (CSRF) vulnerability in the Floatbox Plus WordPress plugin by cybio (floatbox-plus) that allows Stored XSS. The issue affects Floatbox Plus versions from n/a through 1.4.4.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability. Unauthenticated attackers can exploit it by tricking authenticated users (such as administrators) into performing unintended actions via forged requests, leading to the storage and execution of malicious XSS payloads visible to other users.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/floatbox-plus/vulnerability/wordpress-floatbox-plus-plugin-1-4-4-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability specifically in Floatbox Plus version 1.4.4.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/floatbox-plus/vulnerability/wordpress-floatbox-plus-plugin-1-4-4-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com