CVE-2025-25154
Published: 07 February 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-25154 is a Cross-Site Request Forgery (CSRF) vulnerability in the scweber Custom Comment Notifications WordPress plugin (custom-comment-notifications) that allows Stored XSS. The issue affects all versions from n/a through 1.0.8, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Published on 2025-02-07, it enables attackers to exploit insufficient CSRF protections to inject persistent cross-site scripting payloads.
Unauthenticated attackers accessible over the network can exploit this vulnerability with low attack complexity by tricking a user—typically an authenticated administrator or editor—into interacting with a maliciously crafted request, such as via a phishing link or webpage. Successful exploitation changes the scope to high, allowing the storage of XSS payloads in comments or notifications, which execute in the context of other users viewing affected content, resulting in low impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-comment-notifications/vulnerability/wordpress-custom-comment-notifications-plugin-1-0-8-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in a public-facing WordPress plugin is exploited via CSRF triggered by a malicious/phishing link to achieve stored XSS, directly mapping to public-facing app exploitation and user interaction via malicious link.