CVE-2025-23875
Published: 16 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23875 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the madeglobal Better Protected Pages WordPress plugin (better-protected-pages). The issue affects all versions from n/a through 1.0 and enables Stored XSS. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited by unauthenticated attackers over the network (AV:N) with low attack complexity (AC:L), requiring user interaction (UI:R) such as clicking a malicious link. Successful exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). Attackers can leverage CSRF to perform unauthorized actions that store XSS payloads on the site.
The Patchstack advisory provides further details on this vulnerability in the Better Protected Pages plugin version 1.0; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/better-protected-pages/vulnerability/wordpress-better-protected-pages-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables Stored XSS, directly mapping to exploitation of public-facing applications (T1190) for initial access.