CVE-2025-31566
Published: 31 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-31566 is a Cross-Site Request Forgery (CSRF) vulnerability in the riosisgroup Rio Video Gallery WordPress plugin (rio-video-gallery) that enables Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 2.3.6 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability without privileges by tricking an authenticated user into interacting with a malicious site, such as by visiting a crafted webpage. The CSRF request would then store an XSS payload on the target WordPress site, allowing arbitrary JavaScript execution in the context of the site for subsequent visitors, including administrators or other users.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rio-video-gallery/vulnerability/wordpress-rio-video-gallery-plugin-2-3-6-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this WordPress Rio Video Gallery plugin vulnerability in version 2.3.6. Security practitioners should consult this reference for any recommended patches or mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a CSRF in a public-facing WordPress plugin directly enabling T1190 (Exploit Public-Facing Application). It facilitates stored XSS allowing arbitrary JavaScript execution in visitors' browsers, mapping to T1059.007 (JavaScript).