CVE-2025-25152

CVE-2025-25152 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Smart DoFollow WordPress plugin developed by LukaszWiecek. This flaw enables Stored XSS and affects all versions of the plugin from its initial release through 1.0.2. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change despite needing user interaction.

Attackers can exploit this vulnerability remotely without authentication by tricking a legitimate user, such as an authenticated administrator, into performing a malicious action via a forged request. This leads to the storage of XSS payloads on the site, which execute in the victim's browser context when pages are loaded, potentially allowing limited compromise of confidentiality, integrity, and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/smart-dofollow/vulnerability/wordpress-smart-dofollow-plugin-1-0-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides detailed information on the vulnerability, including potential mitigation steps for affected WordPress installations.