Cyber Resilience

CVE-2025-22520

High

Published: 07 January 2025

Published
07 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 28.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22520 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22520 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Tock Widget WordPress plugin (tock-widget). This issue affects all versions from unknown initial release through 1.1 inclusive. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this CSRF vulnerability remotely by tricking authenticated users into performing unintended actions via malicious requests, such as through a crafted webpage. Exploitation requires user interaction, like visiting a malicious site while logged into a vulnerable WordPress site with the plugin active. Successful exploitation can result in low-level impacts on confidentiality, integrity, and availability, with the Patchstack reference specifically noting that it enables CSRF leading to stored XSS.

The Patchstack advisory provides details on this vulnerability, including assessment and potential mitigation steps, accessible at https://patchstack.com/database/Wordpress/Plugin/tock-widget/vulnerability/wordpress-tock-widget-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing CSRF protections.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Tock Tock Widget tock-widget allows Cross Site Request Forgery.This issue affects Tock Widget: from n/a through <= 1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing WordPress plugin directly enables remote exploitation of a web application (T1190), with the stored XSS outcome as a direct consequence of successful abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect communications session authenticity, directly mitigating CSRF by preventing forged requests from authenticated sessions.

prevent

SI-10 enforces information input validation, which verifies CSRF tokens and sanitizes inputs to block malicious payloads leading to stored XSS.

prevent

SI-2 mandates timely flaw remediation, directly addressing this specific CSRF-to-stored XSS vulnerability through patching the affected plugin.

References