CVE-2025-23844
Published: 16 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23844 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Custom Widget Classes WordPress plugin by Jamsheer K. It affects all versions from n/a through 1.1, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.
The vulnerability enables exploitation by unauthenticated attackers over the network who can trick authenticated users into performing unintended actions via forged requests, requiring user interaction such as clicking a malicious link. Successful exploitation changes the scope of impact, potentially allowing limited disruption to confidentiality, integrity, and availability for affected users or the application.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-widget-classes/vulnerability/wordpress-custom-widget-classes-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS issue and associated mitigations for the Custom Widget Classes plugin version 1.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin exploitable over the network by unauthenticated attackers (T1190) via forged requests delivered through a malicious link requiring user interaction (T1204.001), resulting in stored XSS.