CVE-2025-23806
Published: 22 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23806 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ultimate Subscribe WordPress plugin developed by ThemeFarmer, which enables Reflected Cross-Site Scripting (XSS). The flaw, associated with CWE-352, affects all versions of the plugin up to and including 1.3.
A remote unauthenticated attacker can exploit this vulnerability by tricking an authenticated user into performing a state-changing action via a forged request from a malicious site, such as clicking a crafted link. This leads to reflected XSS execution in the victim's browser context. Exploitation requires user interaction, has low attack complexity, and results in low impacts to confidentiality, integrity, and availability with a changed scope, earning a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory documents this CSRF-to-Reflected XSS issue in Ultimate Subscribe version 1.3 and provides details on the vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/ultimate-subscribe/vulnerability/wordpress-ultimate-subscribe-plugin-1-3-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin exploited via crafted link triggering CSRF to reflected XSS.