CVE-2025-23673

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0006 19.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in dkukral Email on Publish email-on-publish allows Stored XSS.This issue affects Email on Publish: from n/a through <= 1.5.

Security Summary

CVE-2025-23673 is a Cross-Site Request Forgery (CSRF) vulnerability in the dkukral Email on Publish WordPress plugin, which allows Stored Cross-Site Scripting (XSS). This issue affects the plugin from its initial release through version 1.5 inclusive.

The vulnerability can be exploited by remote attackers with no required privileges, provided they can trick an authenticated user into performing an action via a malicious webpage, as indicated by the CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (base score 7.1). Exploitation enables the storage of XSS payloads through CSRF, potentially leading to low impacts on confidentiality, integrity, and availability with changed scope.

The Patchstack advisory documents this CSRF to Stored XSS vulnerability specifically in Email on Publish version 1.5, providing further technical details at https://patchstack.com/database/Wordpress/Plugin/email-on-publish/vulnerability/wordpress-email-on-publish-plugin-1-5-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/email-on-publish/vulnerability/wordpress-email-on-publish-plugin-1-5-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com