CVE-2025-23649

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0004 12.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Kreg Steppe Auphonic Importer auphonic-importer allows Stored XSS.This issue affects Auphonic Importer: from n/a through <= 1.5.1.

Security Summary

CVE-2025-23649 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Auphonic Importer WordPress plugin (auphonic-importer) developed by Kreg Steppe. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 1.5.1. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

Attackers can exploit this vulnerability remotely without privileges by tricking authenticated users into performing unintended actions via a malicious site, such as submitting a CSRF request that stores an XSS payload. Upon success, the stored XSS executes in the context of subsequent users viewing affected content, potentially leading to session hijacking, data theft, or further site compromise with low impacts across confidentiality, integrity, and availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/auphonic-importer/vulnerability/wordpress-auphonic-importer-plugin-1-5-1-csrf-to-stored-xss-vulnerability?_s_id=cve) details the vulnerability and provides guidance for security practitioners on mitigation steps.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/auphonic-importer/vulnerability/wordpress-auphonic-importer-plugin-1-5-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com