CVE-2025-25138
Published: 07 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-25138 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Rishi On Page SEO + Whatsapp Chat Button (ops-robots-txt) that enables Stored XSS. The vulnerability affects all versions of the plugin from n/a through 2.0.0. It was published on 2025-02-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
A remote attacker requires no privileges and can exploit the vulnerability over the network with low complexity by tricking an authenticated user into performing an unintended action via a forged request, which requires user interaction. Successful exploitation leads to Stored XSS, allowing the attacker to achieve low impacts on confidentiality, integrity, and availability within a changed scope.
The Patchstack advisory provides further details on the vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/ops-robots-txt/vulnerability/wordpress-on-page-seo-social-live-chat-formerly-ops-plugin-2-0-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin directly enables T1190 exploitation and facilitates arbitrary JavaScript execution via T1059.007.