CVE-2025-23922
Published: 16 January 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-23922 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Harsh iSpring Embedder WordPress plugin (embed-ispring). It affects all versions from n/a through 1.0 inclusive and enables attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to full compromise potential across confidentiality, integrity, and availability with changed scope.
Unauthenticated attackers can exploit this issue remotely with low complexity and no required user interaction. By tricking a legitimate user or leveraging the CSRF mechanism, they can upload a web shell, achieving arbitrary file upload and likely remote code execution on the target web server.
The Patchstack advisory provides further details on this WordPress plugin vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/embed-ispring/vulnerability/wordpress-ispring-embedder-plugin-1-0-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF in public-facing WordPress plugin directly enables arbitrary file upload of web shell, mapping to exploitation of public-facing application and web shell deployment for RCE.