CVE-2025-23677

CVE-2025-23677 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "HTTP to HTTPS link changer by Eyga.net," also known as https-links-in-content or DSmidge. This flaw allows for Stored XSS and affects all versions up to and including 0.2.4. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by unauthenticated attackers over the network who trick a legitimate user—typically an authenticated WordPress administrator or editor—into performing an unintended action, such as submitting a malicious request via a crafted link or form. This CSRF action enables the storage of an XSS payload on the site, which then executes in the browser of subsequent users viewing affected content, potentially leading to session hijacking, data theft, or further site compromise within the plugin's scope.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/https-links-in-content/vulnerability/wordpress-http-to-https-link-changer-by-eyga-net-plugin-0-2-4-csrf-to-stored-xss-vulnerability?_s_id=cve documents the issue specific to this WordPress plugin, though specific mitigation steps or patch availability are not detailed in the provided references.