CVE-2025-23749
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23749 is a Cross-Site Request Forgery (CSRF) vulnerability in the progpars.net mybb Last Topics (mybb-last-topics) WordPress plugin that allows Stored XSS. This issue affects mybb Last Topics versions from n/a through 1.0 inclusive, as identified under CWE-352. The vulnerability was published on 2025-01-16 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. By tricking a victim into performing a state-changing action via a forged request, attackers can inject and store malicious XSS payloads, enabling subsequent execution in users' browsers and resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mybb-last-topics/vulnerability/wordpress-mybb-last-topics-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF-to-Stored XSS issue in the mybb-last-topics WordPress plugin version 1.0 and provides details relevant to mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables remote exploitation of web application (T1190) and facilitates browser-based JavaScript execution via injected payloads (T1059.007).