CVE-2025-23745
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23745 is a Cross-Site Request Forgery (CSRF) vulnerability in the Call me Now WordPress plugin by Tussendoor B.V., which enables Stored Cross-Site Scripting (XSS). The issue affects the plugin from unknown initial versions through 1.0.5 and is associated with CWE-352.
Attackers require no privileges and can exploit this over the network with low complexity, though user interaction is needed. Per the CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), exploitation changes scope and yields low impacts on confidentiality, integrity, and availability. Unauthenticated attackers can forge requests to trick users into injecting and storing XSS payloads, which then execute for subsequent visitors.
The Patchstack advisory provides further details on this WordPress plugin vulnerability, including assessment and recommended actions.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a vulnerability in a public-facing WordPress plugin exploitable over the network without authentication, directly mapping to T1190. The CSRF-enabled stored XSS allows injection of JavaScript payloads that execute in visitors' browsers, facilitating T1059.007.