CVE-2025-26543
Published: 13 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-26543 is a Cross-Site Request Forgery (CSRF) vulnerability in the Simple Responsive Menu WordPress plugin developed by Pukhraj Suthar, which allows for Stored XSS. The vulnerability affects all versions of the plugin from n/a through 2.1 inclusive.
The vulnerability can be exploited by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). An attacker can trick an authenticated user, such as a site administrator, into submitting a malicious request that stores an XSS payload on the site. Exploitation changes scope (S:C) and results in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simple-responsive-menu/vulnerability/wordpress-simple-responsive-menu-plugin-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve documents the issue and associated CWE-352. Security practitioners should review this reference for details on patches and mitigation steps.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing web applications (T1190) and facilitates client-side JavaScript execution via the injected XSS payload (T1059.007).