CVE-2025-23817
Published: 16 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23817 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin MHR-Custom-Anti-Copy by mahadirz, affecting all versions from n/a through 2.0. The flaw allows for Stored XSS and is classified under CWE-352, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity by tricking an authenticated user, such as a site administrator, into performing a state-changing action via a forged request that requires user interaction. Successful exploitation enables the injection of a stored XSS payload, potentially allowing the attacker to execute scripts in the victim's browser context, leading to low-level impacts on confidentiality, integrity, and availability with a changed scope.
The Patchstack advisory documents this CSRF to Stored XSS vulnerability specifically in MHR-Custom-Anti-Copy version 2.0 for WordPress and provides details for mitigation; security practitioners should review it at https://patchstack.com/database/Wordpress/Plugin/mhr-custom-anti-copy/vulnerability/wordpress-mhr-custom-anti-copy-plugin-2-0-csrf-to-stored-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for recommended patches or workarounds.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF to stored XSS flaw in a public-facing WordPress plugin, directly enabling remote exploitation of a web application to inject and execute malicious scripts in the victim's browser context.