CVE-2025-23848
Published: 16 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23848 is a Cross-Site Request Forgery (CSRF) vulnerability in the Hotspots Analytics WordPress plugin developed by dpowney, which enables Stored XSS. The flaw affects the plugin from its initial versions through 4.0.12, as documented under CWE-352. It was published on 2025-01-16 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no required privileges, though it depends on user interaction. An unauthenticated adversary can craft a malicious webpage or link that, when visited by an authenticated WordPress administrator, triggers a CSRF request to store a malicious XSS payload in the plugin. Successful exploitation leads to low impacts on confidentiality, integrity, and availability, elevated by the changed scope (S:C), potentially allowing session hijacking or further site compromise via the stored script.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/hotspots/vulnerability/wordpress-hotspots-analytics-plugin-4-0-12-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin enabling stored XSS, which is directly exploitable as an attack on a public-facing application.