CVE-2025-23660

CVE-2025-23660 is a Cross-Site Request Forgery (CSRF) vulnerability in the MFPlugin WordPress plugin by waltercerrudo, designated as mfplugin. This issue affects all versions from n/a through 1.3 inclusive and enables Stored Cross-Site Scripting (XSS). It is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity, requiring user interaction such as clicking a malicious link. By forging a CSRF request, an attacker tricks an authenticated user into submitting a request that stores an XSS payload, potentially compromising confidentiality, integrity, and availability at a low level with changed scope due to the cross-origin effects of stored XSS.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mfplugin/vulnerability/wordpress-mfplugin-plugin-1-3-csrf-to-cross-site-scripting-vulnerability?_s_id=cve documents the CSRF-to-XSS vulnerability specifically in MFPlugin version 1.3.