CVE-2025-23990
Published: 31 January 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-23990 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Scroll Styler WordPress plugin developed by jablonczay. This issue affects Scroll Styler versions from n/a through 1.1. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and scope change with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this CSRF vulnerability over the network by tricking authenticated users, such as WordPress administrators, into performing unintended actions via malicious requests, typically through user interaction like visiting a crafted webpage. Successful exploitation changes the scope of impact, potentially allowing limited disruption to confidentiality, integrity, and availability, with the Patchstack reference indicating it enables stored XSS in Scroll Styler version 1.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-styler/vulnerability/wordpress-scroll-styler-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF-to-stored-XSS issue and serves as a key reference for mitigation details specific to the affected WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application; attack requires tricking users via crafted webpage, facilitating T1566.002 Spearphishing Link; stored XSS outcome noted but no further direct mappings.