CVE-2025-23537

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 33.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23537 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Protects against the CSRF vector in CVE-2025-23537 by enforcing session authenticity mechanisms like anti-CSRF tokens to block unauthorized requests injecting stored XSS payloads.

SI-10 Information Input Validation good match

prevent

Validates inputs to the vulnerable WordPress plugin to prevent malicious script injection enabling stored XSS via CSRF exploitation.

SI-15 Information Output Filtering good match

prevent

Filters system outputs to block execution of stored malicious scripts resulting from the CSRF-to-XSS vulnerability in the plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

CSRF vuln in public-facing WordPress plugin directly enables T1190 exploitation; requires malicious link for user interaction (T1204.001); stored XSS enables arbitrary JavaScript execution (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in קידום ובניית אתרים add custom google tag manager add-custom-google-tag-manager allows Stored XSS.This issue affects add custom google tag manager: from n/a through <= 1.0.3.

Deeper analysisAI

CVE-2025-23537 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "add custom google tag manager" from developer קידום ובניית אתרים, affecting all versions from n/a through 1.0.3. The flaw, classified under CWE-352, enables Stored Cross-Site Scripting (XSS) when exploited via CSRF. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network-accessible exploitation with low complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

Remote attackers require no authentication privileges but need to lure a targeted user, such as a site administrator, into interacting with a malicious resource like a crafted webpage or link. This triggers an unintended CSRF request to the plugin, allowing injection of malicious payloads that result in stored XSS. Successful exploitation executes arbitrary scripts in the context of the WordPress site, potentially compromising visitor sessions, stealing data, or performing other malicious actions with low-level impacts due to the changed scope.

The Patchstack advisory provides further details on this vulnerability, including potential mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/add-custom-google-tag-manager/vulnerability/wordpress-add-custom-google-tag-manager-plugin-1-0-3-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

CVEs Like This One

CVE-2025-23677Shared CWE-352

CVE-2025-27355Shared CWE-352

CVE-2025-31613Shared CWE-352

CVE-2025-26569Shared CWE-352

CVE-2025-23870Shared CWE-352

CVE-2025-23497Shared CWE-352

CVE-2025-31569Shared CWE-352

CVE-2025-23577Shared CWE-352

CVE-2025-26543Shared CWE-352

CVE-2025-31616Shared CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/add-custom-google-tag-manager/vulnerability/wordpress-add-custom-google-tag-manager-plugin-1-0-3-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve
audit@patchstack.com