CVE-2025-23577
Published: 16 January 2025
Summary
CVE-2025-23577 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-23577 by identifying, reporting, and patching the CSRF to stored XSS flaw in the Word Freshener WordPress plugin versions through 1.3.
Protects session authenticity to prevent unauthenticated attackers from forging CSRF requests that trick authenticated admins into injecting stored XSS payloads.
Validates inputs to plugin administrative actions, blocking malicious XSS payloads from being accepted and stored via CSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 (exploit public-facing app); delivery via forged link/malicious site maps to T1566.002 and T1204.001; stored XSS payload enables T1059.007 JavaScript execution.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3.
Deeper analysisAI
CVE-2025-23577 is a Cross-Site Request Forgery (CSRF) vulnerability in the Word Freshener WordPress plugin developed by Sourov Amin, which enables Stored XSS. The flaw affects the plugin from unknown initial versions through version 1.3 inclusive, as documented under CWE-352.
Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) such as tricking an authenticated administrator into visiting a malicious site or clicking a forged link. Successful exploitation changes scope (S:C) and allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.1, primarily through the injection and persistence of XSS payloads via CSRF-protected administrative actions.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve, which details the vulnerability in the WordPress Word Freshener plugin version 1.3.
Details
- CWE(s)