CVE-2025-24756
Published: 24 January 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24756 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Roi Calculator (roi-calculator) from mgplugin that enables Stored XSS. The issue affects all versions of the plugin from unknown initial release through 1.0 inclusive. It is rated 7.1 High severity under CVSS 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by tricking authenticated users into performing actions via a malicious request, such as through a crafted webpage or link that requires user interaction. Successful exploitation leads to Stored XSS, allowing attackers to inject and persist malicious scripts that execute in the context of other users viewing affected pages, with cross-origin scope change and low impacts to confidentiality, integrity, and availability.
The Patchstack advisory provides further details on the vulnerability, including analysis of the CSRF-to-Stored XSS chain in Roi Calculator version 1.0: https://patchstack.com/database/Wordpress/Plugin/roi-calculator/vulnerability/wordpress-roi-calculator-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF-to-Stored XSS in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application); exploitation requires tricking authenticated users via crafted link/webpage, mapping to T1204.001 (Malicious Link).