CVE-2025-23871
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23871 is a Cross-Site Request Forgery (CSRF) vulnerability in the Bas Matthee LSD Google Maps Embedder WordPress plugin (lsd-google-maps-embedder). The issue affects all versions up to and including 1.1, as classified under CWE-352. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and scope change.
Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users (such as site administrators) into performing unintended actions via a malicious webpage, requiring user interaction like clicking a link. Successful exploitation enables CSRF leading to stored cross-site scripting (XSS), allowing limited impacts on confidentiality, integrity, and availability, such as injecting malicious scripts that persist on the site.
The Patchstack advisory details this as a CSRF-to-stored-XSS vulnerability in the plugin version 1.1 and provides information on patches or mitigations available through their database. Security practitioners should update to a patched version of the LSD Google Maps Embedder plugin if available, and apply general CSRF protections like token validation in WordPress environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote CSRF vulnerability in a public-facing WordPress plugin that leads to stored XSS, directly enabling T1190 (Exploit Public-Facing Application) and T1059.007 (JavaScript execution via injected scripts).