CVE-2025-31443

CVE-2025-31443 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin KK I Like It (kk-i-like-it) developed by Krzysztof Furtak. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.7.5.3. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change.

Unauthenticated attackers can exploit this vulnerability by crafting a malicious webpage that, when visited by an authenticated WordPress user, triggers a CSRF request to the vulnerable plugin endpoint. This user interaction results in the storage of an XSS payload on the site, which can then execute arbitrary JavaScript in the context of other users viewing affected pages, potentially leading to session hijacking, data theft, or further site compromise with low impacts across confidentiality, integrity, and availability.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version if available or applying protective measures like CSRF token validation. Security practitioners should consult the full advisory at https://patchstack.com/database/Wordpress/Plugin/kk-i-like-it/vulnerability/wordpress-kk-i-like-it-plugin-1-7-5-3-csrf-to-stored-xss-vulnerability?_s_id=cve for patch status and workaround guidance.