CVE-2025-31570
Published: 31 March 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-31570 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Related Posts Widget with Thumbnails WordPress plugin (advanced-css3-related-posts-widget) that enables Stored Cross-Site Scripting (XSS). The issue affects all versions from n/a through 1.2 inclusive, as published on 2025-03-31.
Attackers with network access can exploit this vulnerability without privileges (PR:N) through low-complexity methods (AC:L) that require user interaction (UI:R), such as tricking an authenticated site administrator into visiting a malicious page. Successful CSRF exploitation allows storage of XSS payloads, achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) but with a changed scope (S:C), resulting in a CVSS v3.1 base score of 7.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/advanced-css3-related-posts-widget/vulnerability/wordpress-related-posts-widget-with-thumbnails-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides additional details on the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing application) and T1059.007 (JavaScript execution via XSS payload).