CVE-2025-23649
Published: 16 January 2025
Summary
CVE-2025-23649 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23649 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Auphonic Importer WordPress plugin (auphonic-importer) developed by Kreg Steppe. The flaw enables Stored Cross-Site Scripting (XSS) and affects all versions from n/a through 1.5.1. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
Attackers can exploit this vulnerability remotely without privileges by tricking authenticated users into performing unintended actions via a malicious site, such as submitting a CSRF request that stores an XSS payload. Upon success, the stored XSS executes in the context of subsequent users viewing affected content, potentially leading to session hijacking, data theft, or further site compromise with low impacts across confidentiality, integrity, and availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/auphonic-importer/vulnerability/wordpress-auphonic-importer-plugin-1-5-1-csrf-to-stored-xss-vulnerability?_s_id=cve) details the vulnerability and provides guidance for security practitioners on mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3313
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Kreg Steppe Auphonic Importer auphonic-importer allows Stored XSS.This issue affects Auphonic Importer: from n/a through <= 1.5.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the web application (T1190) and allows injection/execution of JavaScript payloads in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this CVE by patching or removing the vulnerable Auphonic Importer plugin.
SC-23 provides mechanisms to protect communications session authenticity, directly preventing CSRF attacks that trick users into storing XSS payloads.
SI-10 enforces validation of information inputs, preventing the acceptance and storage of malicious XSS payloads submitted through the CSRF vulnerability.