CVE-2025-31623
Published: 31 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-31623 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the richtexteditor Rich Text Editor WordPress plugin that enables Stored XSS. Published on 2025-03-31, it affects all versions of the plugin from n/a through 1.0.1, carrying a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, requiring only user interaction such as tricking a victim into visiting a malicious page or clicking a forged link. Exploitation via CSRF allows injection of Stored XSS payloads, achieving low impacts on confidentiality, integrity, and availability while changing scope to impact other users or components viewing the tainted content.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/richtexteditor/vulnerability/wordpress-rich-text-editor-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress Rich Text Editor plugin version 1.0.1 and provides associated mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that directly enables Stored XSS injection, mapping to exploitation of public-facing applications.