Cyber Posture

CVE-2025-23808

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0014 33.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-23808 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Custom List Table Example by Dutch van Andel, affecting all versions from n/a through 1.4.1. The flaw enables Reflected Cross-Site Scripting (XSS) and is classified under CWE-352, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker can exploit this over the network with low attack complexity, requiring user interaction such as visiting a malicious page. By tricking a logged-in user into submitting a forged request, the attacker triggers reflected XSS, achieving low impacts on confidentiality, integrity, and availability within a changed scope.

The Patchstack advisory documents the CSRF to Reflected XSS vulnerability in Custom List Table Example plugin version 1.4.1 and provides details for mitigation. Security practitioners should review this reference for recommended remediation steps.

Details

CWE(s)
CWE-352

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables reflected XSS, directly mapping to exploitation of a weakness in an Internet-facing application over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References