CVE-2025-23456
Published: 16 January 2025
Summary
CVE-2025-23456 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23456 is a Cross-Site Request Forgery (CSRF) vulnerability in the Oddthinking EmailShroud WordPress plugin that allows Reflected Cross-Site Scripting (XSS). This issue affects EmailShroud versions from n/a through <= 2.2.1 and is associated with CWE-352.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Any network-based attacker without privileges can exploit it by tricking an authenticated user into performing an unintended action via a forged request, requiring user interaction such as clicking a malicious link. Successful exploitation enables reflected XSS, resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/emailshroud/vulnerability/wordpress-emailshroud-plugin-2-2-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve provides further details on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3192
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Oddthinking EmailShroud emailshroud allows Reflected XSS.This issue affects EmailShroud: from n/a through <= 2.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF to reflected XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190). The reflected XSS payload allows an attacker to inject and execute arbitrary JavaScript in the victim's browser context (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces mechanisms to protect communications session authenticity, directly mitigating CSRF by preventing forged requests from exploiting valid authenticated sessions in the EmailShroud plugin.
SI-10 requires validation of information inputs like CSRF tokens, preventing unauthorized forged requests that could trigger reflected XSS in the vulnerable WordPress plugin.
SI-15 filters information outputs to block reflected XSS payloads delivered via the CSRF vulnerability in EmailShroud.