CVE-2025-23675

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0008 22.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Sana Ullah Import Users to MailChimp import-users-to-mailchimp allows Stored XSS.This issue affects Import Users to MailChimp: from n/a through <= 1.0.

Security Summary

CVE-2025-23675 is a Cross-Site Request Forgery (CSRF) vulnerability in the Import Users to MailChimp WordPress plugin by Sana Ullah. The flaw enables Stored XSS and affects the plugin in all versions from n/a through 1.0. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-352.

The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation changes the interaction scope, allowing attackers to forge requests that result in stored XSS payloads. This enables script injection that persists and executes in the context of other users viewing affected pages, leading to low impacts on confidentiality, integrity, and availability.

Patchstack's advisory provides details on the vulnerability, including mitigation recommendations, at https://patchstack.com/database/Wordpress/Plugin/import-users-to-mailchimp/vulnerability/wordpress-import-users-to-mailchimp-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/import-users-to-mailchimp/vulnerability/wordpress-import-users-to-mailchimp-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com