CVE-2025-23712
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23712 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Kapost Byline WordPress plugin developed by kapostintegrations. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 2.2.9. The vulnerability was published on 2025-01-16.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the issue allows network-accessible exploitation with low complexity and no required privileges, though it demands user interaction and results in a changed scope. An unauthenticated attacker can trick an authenticated user into submitting a forged request via a malicious webpage, leading to the storage of malicious scripts that execute in the victim's browser context and potentially affect other users viewing the injected content.
Patchstack has issued an advisory documenting the CSRF-to-Stored XSS vulnerability in the Kapost Byline WordPress plugin versions up to 2.2.9, available at https://patchstack.com/database/Wordpress/Plugin/kapost-byline/vulnerability/wordpress-kapost-plugin-2-2-9-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for detailed mitigation steps.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin directly enables exploitation of the application (T1190), and the resulting stored XSS facilitates execution of arbitrary JavaScript in the victim's browser context (T1059.007).