CVE-2025-23702

CVE-2025-23702 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Anonymize Links by Schalk Burger, affecting all versions from n/a through 1.1. The flaw enables Stored Cross-Site Scripting (XSS) and is classified under CWE-352. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility with low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability. The vulnerability was published on 2025-01-16.

Unauthenticated attackers can exploit this CSRF issue by tricking authenticated users into submitting malicious requests, resulting in the storage of XSS payloads. This allows arbitrary script execution in the context of the plugin for subsequent site visitors, with potential for low-level impacts across confidentiality, integrity, and availability due to the expanded scope.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/anonymize-links/vulnerability/wordpress-anonymize-links-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve) provides details on the vulnerability in the Anonymize Links plugin version 1.1. Security practitioners should consult this reference for mitigation recommendations, including patching to a fixed version beyond 1.1.