Cyber Resilience

CVE-2025-23463

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 28.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23463 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23463 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "MD Custom Content After or Before of Post" by Mukesh Dak, which allows for Stored XSS. The flaw affects all versions of the plugin up to and including 1.0, as there is no prior version specified. It is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability by tricking a legitimate user, such as an administrator with access to the plugin's settings, into visiting a malicious webpage or clicking a crafted link. This triggers a CSRF request that submits a payload to store an XSS script on the target WordPress site. Once stored, the XSS executes in the context of other site visitors or admins, potentially leading to session hijacking, data theft, or further site compromise.

Patchstack has published an advisory detailing the vulnerability at https://patchstack.com/database/Wordpress/Plugin/md-custom-content/vulnerability/wordpress-md-custom-content-after-or-before-of-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve, which security practitioners should consult for recommended mitigations, such as updating the plugin if a patched version is available or implementing CSRF protections.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Mukesh Dak MD Custom content after or before of post md-custom-content allows Stored XSS.This issue affects MD Custom content after or before of post: from n/a through <= 1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables exploitation via T1190; stored XSS directly facilitates browser session hijacking via T1185 as described for session theft and site compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23900Shared CWE-352
CVE-2026-29784Shared CWE-352
CVE-2025-25140Shared CWE-352
CVE-2025-23567Shared CWE-352
CVE-2025-31443Shared CWE-352
CVE-2025-31444Shared CWE-352
CVE-2025-22690Shared CWE-352
CVE-2025-26577Shared CWE-352
CVE-2025-30587Shared CWE-352
CVE-2025-23501Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through patching the vulnerable WordPress plugin directly eliminates the CSRF to stored XSS flaw across all affected versions.

prevent

Enforces session authenticity mechanisms like CSRF tokens to block unauthenticated attackers from forging requests that store XSS payloads in plugin settings.

prevent

Validates inputs to the plugin's content insertion functionality to reject malicious XSS scripts submitted via CSRF.

References