CVE-2025-23803
Published: 22 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23803 is a Cross-Site Request Forgery (CSRF) vulnerability in the Snippy WordPress plugin developed by Rik Schennink. The issue affects Snippy versions from n/a through 1.4.1 and enables Reflected Cross-Site Scripting (XSS). Published on 2025-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.
Remote attackers require no privileges to exploit this vulnerability, but user interaction is necessary, such as an authenticated victim visiting a malicious site. The attacker can craft a webpage that forges a CSRF request to the Snippy plugin, triggering reflected XSS in the user's browser. This changes the scope of impact, allowing limited confidentiality, integrity, and availability effects, such as potential session token theft or malicious script execution within the plugin's context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/snippy/vulnerability/wordpress-snippy-plugin-1-4-1-csrf-to-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the CSRF-to-XSS vulnerability in Snippy version 1.4.1 for WordPress. Security practitioners should consult this reference for recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF-to-reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications for initial access (T1190) and facilitates arbitrary JavaScript execution in the victim's browser context via XSS (T1059.007), supporting impacts like session token theft.