CVE-2025-23710
Published: 16 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23710 is a Cross-Site Request Forgery (CSRF) vulnerability in the Flying Twitter Birds WordPress plugin developed by Mayur Sojitra, which allows Stored XSS. This issue affects the plugin from unknown initial versions through version 1.8 inclusive.
The vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity, requiring user interaction such as clicking a malicious link. Exploitation changes the security scope and enables low-level impacts to confidentiality, integrity, and availability, per the CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). An attacker can trick an authenticated WordPress user into submitting a forged request, resulting in the storage of malicious scripts that execute when other users view affected pages.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flying-twitter-birds/vulnerability/wordpress-flying-twitter-birds-plugin-1-8-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF to Stored XSS vulnerability in the WordPress Flying Twitter Birds plugin version 1.8 and provides relevant mitigation details.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF to stored XSS vulnerability in a public-facing WordPress plugin is exploited over the network by tricking an authenticated user into clicking a malicious link to forge a request and inject persistent malicious scripts.