CVE-2025-23898
Published: 16 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23898 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Apply with LinkedIn buttons" by ivobrett. The flaw allows Stored XSS and affects all versions from n/a through <= 2.3. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and was published on 2025-01-16T21:15:31.497.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking users into performing unintended actions, such as via a malicious webpage. Successful exploitation leads to Stored XSS, enabling limited impacts on confidentiality, integrity, and availability in a changed scope, such as executing scripts in the context of the WordPress site for other users.
Mitigation details are available in advisories like the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/apply-with-linkedin-buttons/vulnerability/wordpress-apply-with-linkedin-buttons-plugin-2-3-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF-to-Stored-XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing web applications (T1190) and facilitates JavaScript execution in other users' browsers via the injected payload (T1059.007).