CVE-2025-22520
Published: 07 January 2025
Summary
CVE-2025-22520 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22520 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Tock Widget WordPress plugin (tock-widget). This issue affects all versions from unknown initial release through 1.1 inclusive. The vulnerability was published on 2025-01-07 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, and scope change with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this CSRF vulnerability remotely by tricking authenticated users into performing unintended actions via malicious requests, such as through a crafted webpage. Exploitation requires user interaction, like visiting a malicious site while logged into a vulnerable WordPress site with the plugin active. Successful exploitation can result in low-level impacts on confidentiality, integrity, and availability, with the Patchstack reference specifically noting that it enables CSRF leading to stored XSS.
The Patchstack advisory provides details on this vulnerability, including assessment and potential mitigation steps, accessible at https://patchstack.com/database/Wordpress/Plugin/tock-widget/vulnerability/wordpress-tock-widget-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing CSRF protections.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2800
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Tock Tock Widget tock-widget allows Cross Site Request Forgery.This issue affects Tock Widget: from n/a through <= 1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables remote exploitation of a web application (T1190), with the stored XSS outcome as a direct consequence of successful abuse.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms to protect communications session authenticity, directly mitigating CSRF by preventing forged requests from authenticated sessions.
SI-10 enforces information input validation, which verifies CSRF tokens and sanitizes inputs to block malicious payloads leading to stored XSS.
SI-2 mandates timely flaw remediation, directly addressing this specific CSRF-to-stored XSS vulnerability through patching the affected plugin.