CVE-2025-27277
Published: 24 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-27277 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the tiefpunkt "Add Linked Images To Gallery" WordPress plugin (slug: add-linked-images-to-gallery-v01). This issue affects all versions from n/a through 1.4 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network accessibility, low attack complexity, no privileges required, user interaction needed, changed scope, and low impacts to confidentiality, integrity, and availability.
Remote attackers without privileges can exploit this CSRF flaw by tricking authenticated users into submitting malicious requests, typically via user interaction such as clicking a crafted link or visiting a malicious site. Exploitation enables unauthorized actions within the plugin's context, achieving low-level effects on confidentiality, integrity, and availability due to the scope change.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/add-linked-images-to-gallery-v01/vulnerability/wordpress-add-linked-images-to-gallery-plugin-1-4-csrf-to-stored-xss-vulnerability?_s_id=cve details this as a CSRF-to-stored-XSS issue in version 1.4; security practitioners should consult it for specific mitigation steps, patch availability, or workarounds.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF requires user interaction via crafted link or malicious site visit (T1204.001); enables stored XSS for arbitrary JavaScript execution (T1059.007).