CVE-2025-23821

CVE-2025-23821 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WP Cookies Alert WordPress plugin (wp-cookies-alert) developed by aleapp. This issue affects all versions of the plugin from n/a through 1.1.1 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, reflecting network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), user interaction required (UI:R), changed scope (S:C), and low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L).

The vulnerability enables exploitation by remote attackers who can craft malicious requests to trick authenticated users into performing unintended actions on a vulnerable WordPress site, such as modifying plugin settings or configurations via forged cross-site requests. Exploitation requires the victim to interact with a malicious webpage (e.g., clicking a link or loading a page) while authenticated to the target site, allowing the attacker to leverage the user's session without their knowledge. Successful attacks could result in low-level disruptions to data confidentiality, integrity, and availability within the changed scope.

Mitigation details are outlined in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-cookies-alert/vulnerability/wordpress-wp-cookies-alert-plugin-1-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve, which addresses the CSRF issue in WP Cookies Alert version 1.1.1. Security practitioners should review this reference for patching guidance and verify updates beyond version 1.1.1.