CVE-2025-23902
Published: 16 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-23902 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the WordPress plugin Error Notification developed by Taras Dashkevych. The plugin, known as error-notification, is affected in all versions up to and including 0.2.7. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
An unauthenticated attacker can exploit this CSRF vulnerability remotely with low attack complexity, though it requires user interaction, such as tricking an authenticated administrator into performing an action on a malicious site. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to forge requests on behalf of the victim.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/error-notification/vulnerability/wordpress-error-notification-plugin-0-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve) characterizes the issue as a CSRF leading to stored XSS in Error Notification version 0.2.7, providing details for practitioners to assess and address the flaw in affected WordPress environments.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly maps to T1190 for exploitation of the app; requires tricking user via malicious site/link for T1204.001.