CVE-2025-23801

CVE-2025-23801 is a Cross-Site Request Forgery (CSRF) vulnerability in the FuzzGuard Style Admin (style-admin) WordPress plugin that allows Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 1.4.3 inclusive. Published on 2025-01-16, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

Remote attackers without privileges can exploit this vulnerability by tricking authenticated users, such as site administrators, into interacting with a malicious webpage (UI:R). This user interaction enables a CSRF attack that results in the storage of XSS payloads on the target site, potentially leading to low-level impacts on confidentiality, integrity, and availability with a changed scope (S:C).

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/style-admin/vulnerability/wordpress-style-admin-plugin-1-4-3-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS vulnerability in the Style Admin WordPress plugin version 1.4.3 and earlier.