CVE-2025-25168

CVE-2025-25168 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin BookPress – For Book Authors, also referred to as Black and White BookPress – For Book Authors book-press, that enables Cross-Site Scripting (XSS). The issue affects the plugin from unknown initial versions through version 1.2.7 inclusive and is associated with CWE-352.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity, though it requires user interaction. An attacker can craft a malicious webpage that, when visited by an authenticated user, tricks the browser into submitting a forged request to the vulnerable plugin endpoint, resulting in the storage of XSS payloads. This leads to low impacts on confidentiality, integrity, and availability, with a changed scope due to the potential for the stored XSS to affect other users viewing the injected content.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including potential mitigation or patch information for affected installations.