CVE-2025-25148
Published: 07 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-25148 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Read More Copy Link (also referred to as ElbowRobo Read More Copy Link or read-more-copy-link). This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.0.2. The vulnerability was published on 2025-02-07 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated attacker (PR:N) can exploit the CSRF vulnerability over the network (AV:N) by tricking an authenticated WordPress user into interacting with a malicious webpage (UI:R), such as clicking a link or visiting a site that automatically submits a forged request. This action stores an XSS payload on the site, which then executes in the browser context of subsequent visitors (S:C), potentially allowing low-level impacts on confidentiality, integrity, and availability, such as session token theft or malicious script execution.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/read-more-copy-link/vulnerability/wordpress-read-more-copy-link-plugin-1-0-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, with affected versions limited to <=1.0.2, recommending updates to patched releases for mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a CSRF flaw in a public-facing WordPress plugin that directly enables stored XSS exploitation over the network (T1190). The attack requires tricking an authenticated user into clicking a malicious link or visiting a crafted webpage to trigger the forged request (T1204.001).