CVE-2025-23617
Published: 16 January 2025
Summary
CVE-2025-23617 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23617 is a Cross-Site Request Forgery (CSRF) vulnerability in the Floatbox Plus WordPress plugin by cybio (floatbox-plus) that allows Stored XSS. The issue affects Floatbox Plus versions from n/a through 1.4.4.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability. Unauthenticated attackers can exploit it by tricking authenticated users (such as administrators) into performing unintended actions via forged requests, leading to the storage and execution of malicious XSS payloads visible to other users.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/floatbox-plus/vulnerability/wordpress-floatbox-plus-plugin-1-4-4-csrf-to-stored-xss-vulnerability?_s_id=cve) documents the CSRF-to-Stored XSS vulnerability specifically in Floatbox Plus version 1.4.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3287
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in cybio Floatbox Plus floatbox-plus allows Stored XSS.This issue affects Floatbox Plus: from n/a through <= 1.4.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin directly enables T1190 exploitation; stored XSS payload enables JavaScript execution via T1059.007.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms like anti-CSRF tokens to prevent unauthenticated attackers from tricking authenticated users into storing malicious XSS payloads via forged requests.
Validates and sanitizes inputs to the Floatbox Plus plugin to block malicious XSS scripts from being stored as a result of CSRF exploitation.
Filters information outputs from the plugin to neutralize any stored XSS payloads before they are rendered and executed in users' browsers.