CVE-2025-23463
Published: 16 January 2025
Summary
CVE-2025-23463 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23463 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "MD Custom Content After or Before of Post" by Mukesh Dak, which allows for Stored XSS. The flaw affects all versions of the plugin up to and including 1.0, as there is no prior version specified. It is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction needed, changed scope, and low impacts on confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability by tricking a legitimate user, such as an administrator with access to the plugin's settings, into visiting a malicious webpage or clicking a crafted link. This triggers a CSRF request that submits a payload to store an XSS script on the target WordPress site. Once stored, the XSS executes in the context of other site visitors or admins, potentially leading to session hijacking, data theft, or further site compromise.
Patchstack has published an advisory detailing the vulnerability at https://patchstack.com/database/Wordpress/Plugin/md-custom-content/vulnerability/wordpress-md-custom-content-after-or-before-of-post-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve, which security practitioners should consult for recommended mitigations, such as updating the plugin if a patched version is available or implementing CSRF protections.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3196
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Mukesh Dak MD Custom content after or before of post md-custom-content allows Stored XSS.This issue affects MD Custom content after or before of post: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables exploitation via T1190; stored XSS directly facilitates browser session hijacking via T1185 as described for session theft and site compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching the vulnerable WordPress plugin directly eliminates the CSRF to stored XSS flaw across all affected versions.
Enforces session authenticity mechanisms like CSRF tokens to block unauthenticated attackers from forging requests that store XSS payloads in plugin settings.
Validates inputs to the plugin's content insertion functionality to reject malicious XSS scripts submitted via CSRF.