CVE-2025-23640

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan Rename Author Slug rename-author-slug allows Stored XSS.This issue affects Rename Author Slug: from n/a through <= 1.2.0.

Security Summary

CVE-2025-23640 is a Cross-Site Request Forgery (CSRF) vulnerability in the Rename Author Slug WordPress plugin by Nazmul Ahsan, which enables Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from its initial release through 1.2.0. Published on 2025-01-16, it is associated with CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity by tricking users into submitting malicious requests through CSRF. This requires user interaction but no privileges from the attacker. Exploitation results in stored XSS, allowing limited impacts on confidentiality, integrity, and availability within a changed security scope.

The Patchstack advisory provides further details on the vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/rename-author-slug/vulnerability/wordpress-rename-author-slug-plugin-1-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/rename-author-slug/vulnerability/wordpress-rename-author-slug-plugin-1-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com