CVE-2025-23664

CVE-2025-23664 is a Cross-Site Request Forgery (CSRF) vulnerability in the Real Seguro Viagem WordPress plugin (seguro-viagem) that allows Stored Cross-Site Scripting (XSS). This issue affects versions of the plugin from n/a through 2.0.5. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

Attackers can exploit this vulnerability over the network with low complexity and no required privileges, but it relies on user interaction. A victim, likely an authenticated WordPress user, can be tricked into submitting a malicious request via a crafted webpage, resulting in the storage of an XSS payload. This enables script execution in the site's context for other users, achieving low impacts on confidentiality, integrity, and availability across a changed scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/seguro-viagem/vulnerability/wordpress-real-seguro-viagem-plugin-2-0-5-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS issue in Real Seguro Viagem plugin version 2.0.5. Security practitioners should consult this reference for vulnerability details and recommended mitigations.