CVE-2025-25088
Published: 07 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25088 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the blackus3r WP Keyword Monitor WordPress plugin (wp-keyword-monitor). The issue affects all versions from n/a through 1.0.5 and was published on 2025-02-07. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this CSRF vulnerability over the network by tricking an authenticated user, such as a site administrator, into submitting a malicious request through a forged webpage or link. This could enable the attacker to perform unauthorized actions on behalf of the victim within the plugin's context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-keyword-monitor/vulnerability/wordpress-wp-keyword-monitor-plugin-1-0-5-csrf-to-stored-xss-vulnerability?_s_id=cve describes the flaw as a CSRF-to-stored-XSS vulnerability in WP Keyword Monitor version 1.0.5.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability enables attacker to inject stored XSS payload via malicious link (T1204.001) tricking authenticated user, which then facilitates arbitrary JavaScript execution in browser context (T1059.007).