CVE-2025-23717
Published: 16 January 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-23717 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Theme My Ontraport Smartform by itmooti. This flaw enables Stored XSS and affects all versions of the plugin up to and including 1.2.11. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users into visiting a malicious webpage that submits forged requests to the vulnerable plugin. This leads to the storage of XSS payloads, which execute in the context of the WordPress site for subsequent visitors, potentially enabling session hijacking, data theft, or further site compromise depending on the payload.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/theme-my-ontraport-smartform/vulnerability/wordpress-theme-my-ontraport-smartform-plugin-1-2-11-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS issue in version 1.2.11 and provides vulnerability details for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF-to-stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app for initial access) and facilitates T1185 (browser session hijacking via malicious JS payloads executed for site visitors).