CVE-2025-24562
Published: 24 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24562 is a Cross-Site Request Forgery (CSRF) vulnerability in the Optimal Access KBucket WordPress plugin (kbucket) that allows Stored XSS. This issue affects KBucket versions from n/a through 4.1.6 and was published on 2025-01-24. It is associated with CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though user interaction is necessary. By tricking a victim—likely an authenticated user such as an administrator—into visiting a malicious site, an attacker can leverage CSRF to perform unauthorized actions that result in stored XSS payloads. Successful exploitation changes the scope and enables low-level impacts to confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/kbucket/vulnerability/wordpress-kbucket-plugin-4-1-6-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve provides details on this CSRF to Stored XSS vulnerability in the WordPress KBucket plugin version 4.1.6.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin exploited via malicious link to trigger unauthorized actions in victim's browser session.