Cyber Resilience

CVE-2025-23558

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 17.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23558 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23558 is a Cross-Site Request Forgery (CSRF) vulnerability in the Geotagged Media WordPress plugin developed by digitalfisherman, which enables Stored Cross-Site Scripting (XSS). The flaw affects all versions of the geotagged-media plugin from unknown initial release through version 0.3.0 inclusive. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-352.

The vulnerability can be exploited by remote attackers with no required privileges through network-accessible vectors of low complexity, though it requires user interaction. By crafting malicious requests, attackers can trick authenticated users—such as site administrators—into inadvertently storing XSS payloads via CSRF, which then execute in the context of the affected site for other users. This achieves low impacts on confidentiality, integrity, and availability but with a changed scope.

The primary advisory from Patchstack (https://patchstack.com/database/Wordpress/Plugin/geotagged-media/vulnerability/wordpress-geotagged-media-plugin-0-3-0-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the issue and should be consulted for detailed mitigation steps, such as applying available plugin updates beyond version 0.3.0.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in digitalfisherman Geotagged Media geotagged-media allows Stored XSS.This issue affects Geotagged Media: from n/a through <= 0.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352
CVE-2025-22538Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Geotagged Media plugin beyond version 0.3.0, directly eliminating the CSRF-to-stored XSS vulnerability.

prevent

Session authenticity enforces anti-CSRF tokens or equivalent mechanisms to block forged requests that store XSS payloads in the plugin.

prevent

Information input validation on plugin endpoints rejects malicious XSS payloads tricked into submission via CSRF attacks.

References