CVE-2025-23815
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23815 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the linickx root Cookie WordPress plugin. It affects all versions from n/a through 1.6. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting its network accessibility, low complexity, lack of required privileges, and potential for changed scope with low impacts on confidentiality, integrity, and availability.
Attackers can exploit this CSRF flaw without authentication by tricking a user into submitting a malicious request via a crafted webpage or link, requiring user interaction such as clicking. This enables unauthorized actions on sites running the vulnerable plugin, potentially leading to outcomes like stored XSS as indicated in vulnerability details.
The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/root-cookie/vulnerability/wordpress-root-cookie-plugin-1-6-csrf-to-stored-xss-vulnerability?_s_id=cve documents this as a CSRF-to-stored XSS issue in the WordPress Root Cookie plugin version 1.6, offering insights for practitioners on detection and remediation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF in public-facing WordPress plugin enables T1190 exploitation; leads to stored XSS facilitating T1059.007 JavaScript execution in browser.