CVE-2025-23691

CVE-2025-23691 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Send to Twitter WordPress plugin developed by Braulio Aquino. This flaw enables Stored XSS and affects all versions of the plugin up to and including 1.7.2. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, user interaction, and changed scope.

Attackers can exploit this vulnerability remotely without authentication by crafting a malicious webpage that, when visited by a targeted user (such as a site administrator), triggers a CSRF request to the vulnerable plugin endpoint. This results in the storage of a malicious XSS payload on the WordPress site. Upon subsequent visits by authenticated users, including admins, the payload executes arbitrary JavaScript in the site's context, potentially enabling session hijacking, data theft, or further site compromise, though impacts are rated low across confidentiality, integrity, and availability.

Patchstack advisories document the issue specifically for Send to Twitter plugin version 1.7.2, detailing the CSRF-to-Stored XSS chain, with full vulnerability information available at https://patchstack.com/database/Wordpress/Plugin/send-to-twitter/vulnerability/wordpress-send-to-twitter-plugin-1-7-2-csrf-to-stored-xss-vulnerability?_s_id=cve.