CVE-2025-23977
Published: 31 January 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-23977 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Bhaskar Dhote Post Carousel Slider WordPress plugin (post-carousel-slider) that enables Stored XSS. The vulnerability affects all versions from n/a through 2.0.1 and was published on 2025-01-31. It carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
The vulnerability can be exploited by any network-accessible attacker with low attack complexity, requiring no privileges but relying on user interaction, such as tricking an authenticated user into performing a malicious request. Exploitation changes the scope (S:C), allowing attackers to inject and store XSS payloads via CSRF, which can then execute in the context of other users viewing affected content, leading to low-level impacts on confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/post-carousel-slider/vulnerability/wordpress-post-carousel-slider-plugin-2-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is in a public-facing WordPress plugin allowing exploitation of public-facing applications (T1190). The CSRF to stored XSS directly enables injection and execution of arbitrary JavaScript payloads in the browsers of other users (T1059.007).