CVE-2025-23573
Published: 16 January 2025
Summary
CVE-2025-23573 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23573 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Background Tile WordPress plugin (wp-background-tile by sammyb) that allows Stored XSS. This issue affects the plugin from unknown initial versions through version 1.0 inclusive.
The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and results in changed scope (S:C) with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. Attackers can trick authenticated WordPress users into submitting forged requests via a malicious site, enabling the storage of XSS payloads that execute in the context of the plugin.
The Patchstack advisory provides further details on the vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/wp-background-tile/vulnerability/wordpress-wp-background-tile-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3257
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in sammyb WP Background Tile wp-background-tile allows Stored XSS.This issue affects WP Background Tile: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF to stored XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) over the network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms like anti-CSRF tokens, directly preventing forged requests that exploit this CSRF vulnerability to store XSS payloads.
SI-10 requires validation of information inputs, preventing the storage of malicious XSS payloads submitted via the CSRF attack vector.
SI-15 mandates output filtering and encoding, blocking the execution of any stored XSS payloads resulting from the CSRF exploitation.