CVE-2025-23530
Published: 16 January 2025
Summary
CVE-2025-23530 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23530 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the yonisink Custom Post Type Lockdown WordPress plugin (custom-post-type-lockdown). The flaw enables privilege escalation and affects the plugin from unknown initial versions through version 1.11 inclusive.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network by unauthenticated attackers with low complexity, requiring only user interaction such as clicking a malicious link or submitting a forged request. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, specifically through privilege escalation on the targeted WordPress site.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/custom-post-type-lockdown/vulnerability/wordpress-custom-post-type-lockdown-plugin-1-11-csrf-to-privilege-escalation-vulnerability?_s_id=cve) documents this CSRF-to-privilege-escalation issue in Custom Post Type Lockdown version 1.11.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3231
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in yonisink Custom Post Type Lockdown custom-post-type-lockdown allows Privilege Escalation.This issue affects Custom Post Type Lockdown: from n/a through <= 1.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability directly enables privilege escalation on the WordPress site, mapping to T1068 Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms such as anti-CSRF tokens to protect session authenticity, directly preventing forged requests that exploit this CSRF vulnerability.
SI-2 mandates timely identification, reporting, and correction of system flaws like this plugin vulnerability, preventing exploitation through patching.
AC-6 enforces least privilege, limiting the damage from privilege escalation even if the CSRF attack succeeds.