CVE-2025-23797
Published: 16 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-23797 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the WP Options Editor plugin (wp-options-editor) developed by Mike Selander for WordPress. The flaw allows privilege escalation and affects all versions from unknown initial release through 1.1 inclusive. Published on 2025-01-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by unauthenticated attackers accessible over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, specifically through privilege escalation on affected WordPress sites running the vulnerable plugin.
Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-options-editor/vulnerability/wordpress-wp-options-editor-plugin-1-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin enables unauthenticated attackers to achieve privilege escalation with no user interaction, directly mapping to exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).