CVE-2025-23654

CVE-2025-23654 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the krolow Twitter Post (twitterpost) WordPress plugin that enables Stored Cross-Site Scripting (XSS). Published on 2025-01-16, it affects all versions of the plugin from unknown initial release through 0.1 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and changed scope despite needing user interaction.

Attackers can exploit this remotely without authentication by tricking a user, such as an authenticated WordPress administrator, into visiting a malicious site or clicking a crafted link that submits a CSRF request. This injects and stores an XSS payload via the plugin's functionality, which then executes in the browser context of subsequent site visitors or users, potentially leading to session hijacking, data theft, or further site compromise. The low impacts on confidentiality, integrity, and availability reflect the scoped execution, but the stored nature amplifies persistence.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/twitterpost/vulnerability/wordpress-twitter-post-plugin-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS issue in Twitter Post plugin version 0.1 and serves as the primary reference for practitioners assessing exposure.