CVE-2025-25075
Published: 07 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25075 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin "Show notice or message on admin area" developed by Venugopal. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin from n/a through 2.0 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers (PR:N) can exploit this CSRF vulnerability by tricking authenticated administrators into performing actions via a malicious webpage that requires user interaction (UI:R), such as visiting a crafted link. This leads to the storage of XSS payloads in the admin area, allowing arbitrary JavaScript execution in the context of logged-in admins upon viewing affected notices or messages.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/show-notice-or-message-on-admin-area/vulnerability/wordpress-show-notice-or-message-on-admin-area-plugin-2-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the vulnerability and associated risks in the plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The public-facing WordPress plugin vulnerability (CSRF to stored XSS) enables exploitation of a web application leading to arbitrary JavaScript execution in the admin browser context.