Cyber Resilience

CVE-2025-23497

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 17.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23497 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23497 is a Cross-Site Request Forgery (CSRF) vulnerability in the albdesign Simple Project Manager WordPress plugin (simple-project-managment) that allows Stored Cross-Site Scripting (XSS). The issue affects versions from n/a through 1.2.2. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking authenticated users (UI:R) into performing actions via forged requests. Successful exploitation stores XSS payloads, enabling script execution in the context of other users with changed scope (S:C) and low impacts on confidentiality, integrity, and availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-project-managment/vulnerability/wordpress-simple-project-manager-plugin-1-2-2-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability in Simple Project Manager plugin version 1.2.2.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in albdesign Simple Project Manager simple-project-managment allows Stored XSS.This issue affects Simple Project Manager: from n/a through <= 1.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables exploitation via T1190; CSRF requires tricking user with malicious link (T1204.001); stored XSS enables JavaScript script execution in browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31613Shared CWE-352
CVE-2025-23677Shared CWE-352
CVE-2025-26569Shared CWE-352
CVE-2025-27355Shared CWE-352
CVE-2025-23537Shared CWE-352
CVE-2025-23870Shared CWE-352
CVE-2025-31569Shared CWE-352
CVE-2025-23577Shared CWE-352
CVE-2025-28931Shared CWE-352
CVE-2025-25121Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-23497 by requiring timely identification, reporting, and patching of the flawed Simple Project Manager WordPress plugin vulnerable to CSRF-to-Stored XSS.

prevent

Prevents CSRF exploitation in the plugin by enforcing session authenticity mechanisms such as synchronizer tokens or secure cookies to validate legitimate requests before storing data.

prevent

Blocks storage of XSS payloads via CSRF by validating and sanitizing information inputs to the Simple Project Manager plugin against malicious scripts.

References