CVE-2025-23713
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23713 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Hack me if you can" by artanik, which allows Stored XSS. This issue affects the plugin from n/a through version 1.2 and is associated with CWE-352.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction. Attackers can exploit it by tricking authenticated users into performing unintended actions via forged requests, leading to the storage of malicious XSS payloads that execute in other users' browsers.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/hack-me-if-you-can/vulnerability/wordpress-hack-me-if-you-can-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS vulnerability in the plugin version 1.2 and provides information on mitigation for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables stored XSS; this directly maps to exploiting a public-facing application (T1190) and abusing JavaScript for malicious execution in victim browsers (T1059.007).