CVE-2025-23743
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23743 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Social Analytics WordPress plugin developed by MartijnScheijbeler. This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions of the plugin from its initial release through 0.2 inclusive. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely with low complexity and no required privileges, though it necessitates user interaction, such as luring an authenticated WordPress user to a malicious site. By crafting a CSRF payload, an attacker can trick the victim into submitting a request that injects a stored XSS payload into the plugin, which then executes in the context of the site for other users, potentially leading to low-level impacts on confidentiality, integrity, and availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/social-analytics/vulnerability/wordpress-social-analytics-plugin-0-2-csrf-to-stored-xss-vulnerability?_s_id=cve) documents this issue in the Social Analytics plugin version 0.2 and provides further technical details for practitioners.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin enables remote exploitation of a web application (T1190) and facilitates injection of JavaScript code via stored XSS for execution in the context of other users' browsers (T1059.007).