CVE-2025-25140
Published: 07 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-25140 is a Cross-Site Request Forgery (CSRF) vulnerability in the Scriptonite Simple User Profile WordPress plugin (simple-user-profile) that enables Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 1.9 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability can be exploited by an unauthenticated attacker over the network with low complexity, requiring user interaction from an authenticated victim. In a typical attack scenario, the attacker crafts a malicious webpage that, when visited by a logged-in user, triggers a CSRF request to store an XSS payload in the user's profile via the plugin. Once stored, the payload executes in the context of other users viewing the profile, potentially allowing session hijacking, data theft, or further site compromise due to the changed scope.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-user-profile/vulnerability/wordpress-simple-user-profile-plugin-1-9-csrf-to-stored-xss-vulnerability?_s_id=cve) documents this CSRF-to-Stored XSS issue in Simple User Profile version 1.9 and earlier. Security practitioners should review this reference for detailed analysis and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting public-facing app over network) and facilitates T1185 (browser session hijacking via injected JS payload leading to cookie theft or further compromise).