CVE-2025-23884

CVE-2025-23884 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Annie WordPress plugin developed by Chris Roberts. This issue affects Annie from unknown initial versions through version 2.1.1. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its potential for cross-site exploitation with changed scope.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring only user interaction such as tricking a victim into visiting a malicious webpage. Successful CSRF exploitation enables the attacker to perform unauthorized actions on behalf of the authenticated user, potentially leading to low impacts on confidentiality, integrity, and availability.

The Patchstack advisory details this as a CSRF-to-stored-XSS vulnerability in WordPress Annie plugin version 2.1.1, providing vulnerability assessment and recommendations for affected sites. Security practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve for mitigation guidance, including plugin updates where available.