CVE-2025-23870

CVE-2025-23870 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Copyright Safeguard Footer Notice" by wygk, which enables Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from unknown initial release through version 3.0 inclusive. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352 (Cross-Site Request Forgery).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking authenticated WordPress administrators or users with sufficient privileges into interacting with a malicious webpage, such as by clicking a forged link. This user interaction allows the attacker to submit a CSRF-protected form that injects and stores malicious JavaScript in the site's footer notice, leading to Stored XSS execution for subsequent visitors. Exploitation results in low-impact effects on confidentiality, integrity, and availability, with a changed scope due to cross-origin scripting.

The Patchstack advisory details this CSRF-to-Stored XSS issue in version 3.0 and earlier, recommending that site owners update the Copyright Safeguard Footer Notice plugin to a patched version beyond 3.0 to prevent exploitation.