CVE-2025-23989

CVE-2025-23989 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Internal Link Builder WordPress plugin developed by Alessandro Piconi. The issue affects all versions of the plugin from n/a through 1.0 inclusive. Published on 2025-01-31, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting network accessibility, low attack complexity, no required privileges, user interaction dependency, changed scope, and low impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely by tricking an authenticated user, typically a site administrator, into visiting a malicious webpage that submits forged requests to the plugin. This enables the attacker to perform unauthorized actions on behalf of the victim, potentially leading to stored cross-site scripting (XSS) as indicated in vulnerability details.

The Patchstack advisory documents this as a CSRF-to-stored-XSS vulnerability in Internal Link Builder version 1.0 and provides details at https://patchstack.com/database/Wordpress/Plugin/internal-link-builder/vulnerability/wordpress-internal-link-builder-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for mitigation guidance, such as updating the plugin or implementing CSRF protections.