CVE-2025-22556
Published: 07 January 2025
Summary
CVE-2025-22556 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22556 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Norse Rune Oracle plugin (norse-runes-oracle) for WordPress. The issue affects the plugin from unknown initial versions through version 1.4.2 inclusive. Published on January 7, 2025, it carries a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this CSRF vulnerability over the network by tricking authenticated users into performing unintended actions via malicious requests, such as from a crafted webpage. Exploitation requires user interaction, like visiting a malicious site while logged into a vulnerable WordPress site with the plugin enabled. Successful attacks enable limited disruption, including low-level unauthorized modifications or disclosures within the affected scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/norse-runes-oracle/vulnerability/wordpress-norse-rune-oracle-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2834
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in WP CMS Ninja Norse Rune Oracle Plugin norse-runes-oracle allows Cross Site Request Forgery.This issue affects Norse Rune Oracle Plugin: from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress plugin directly enables exploitation of the web application over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms such as anti-CSRF tokens to protect the authenticity of communications sessions, directly preventing forged requests that exploit this CSRF vulnerability.
SI-10 mandates validation of information inputs, including CSRF tokens in requests, to block malicious forged actions by unauthenticated attackers tricking authenticated users.
SI-2 ensures identification, reporting, and timely remediation of flaws like this CSRF vulnerability in the Norse Rune Oracle plugin through patching to version beyond 1.4.2.