CVE-2025-23980

CVE-2025-23980 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Full Circle WordPress plugin developed by James Andrews. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 0.5.7.8. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction dependency, and changed scope with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this CSRF vulnerability by crafting malicious requests that trick authenticated users into submitting them unwittingly, such as via a malicious webpage. This allows attackers to store XSS payloads on the target site, which execute in the context of other users viewing affected content, potentially leading to session hijacking, data theft, or further site compromise depending on the payload.

The Patchstack advisory details this vulnerability and mitigation steps at https://patchstack.com/database/Wordpress/Plugin/full-circle/vulnerability/wordpress-full-circle-plugin-0-5-7-8-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve.