CVE-2025-23818
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23818 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the More Link Modifier WordPress plugin developed by pyko (slug: more-link-modifier) that enables Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from its initial release through 1.0.3. Published on January 16, 2025, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking authenticated users, such as site administrators, into performing unintended actions via malicious requests (user interaction required). Exploitation results in stored XSS payloads being injected, potentially allowing attackers to steal session cookies, impersonate users, or execute arbitrary scripts in the context of affected users, with low impacts on confidentiality, integrity, and availability but elevated risk from the cross-site scope change.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/more-link-modifier/vulnerability/wordpress-more-link-modifier-plugin-1-0-3-csrf-to-cross-site-scripting-vulnerability?_s_id=cve documents the CSRF-to-XSS issue in More Link Modifier 1.0.3 and provides mitigation guidance for WordPress site operators.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin enabling stored XSS injection, directly facilitating exploitation of public-facing applications (T1190) and arbitrary JavaScript execution in the browser context of authenticated users (T1059.007).