Cyber Posture

CVE-2025-23497

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 12.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23497 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2025-23497 by requiring timely identification, reporting, and patching of the flawed Simple Project Manager WordPress plugin vulnerable to CSRF-to-Stored XSS.

SC-23 Session Authenticity good match
prevent

Prevents CSRF exploitation in the plugin by enforcing session authenticity mechanisms such as synchronizer tokens or secure cookies to validate legitimate requests before storing data.

SI-10 Information Input Validation good match
prevent

Blocks storage of XSS payloads via CSRF by validating and sanitizing information inputs to the Simple Project Manager plugin against malicious scripts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing WordPress plugin enables exploitation via T1190; CSRF requires tricking user with malicious link (T1204.001); stored XSS enables JavaScript script execution in browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in albdesign Simple Project Manager simple-project-managment allows Stored XSS.This issue affects Simple Project Manager: from n/a through <= 1.2.2.

Deeper analysisAI

CVE-2025-23497 is a Cross-Site Request Forgery (CSRF) vulnerability in the albdesign Simple Project Manager WordPress plugin (simple-project-managment) that allows Stored Cross-Site Scripting (XSS). The issue affects versions from n/a through 1.2.2. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking authenticated users (UI:R) into performing actions via forged requests. Successful exploitation stores XSS payloads, enabling script execution in the context of other users with changed scope (S:C) and low impacts on confidentiality, integrity, and availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-project-managment/vulnerability/wordpress-simple-project-manager-plugin-1-2-2-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability in Simple Project Manager plugin version 1.2.2.

Details

CWE(s)
CWE-352

CVEs Like This One

CVE-2025-23677Shared CWE-352
CVE-2025-27355Shared CWE-352
CVE-2025-31613Shared CWE-352
CVE-2025-26569Shared CWE-352
CVE-2025-23870Shared CWE-352
CVE-2025-23537Shared CWE-352
CVE-2025-31569Shared CWE-352
CVE-2025-23577Shared CWE-352
CVE-2025-26543Shared CWE-352
CVE-2025-31616Shared CWE-352

References