CVE-2025-23654
Published: 16 January 2025
Summary
CVE-2025-23654 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23654 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the krolow Twitter Post (twitterpost) WordPress plugin that enables Stored Cross-Site Scripting (XSS). Published on 2025-01-16, it affects all versions of the plugin from unknown initial release through 0.1 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and changed scope despite needing user interaction.
Attackers can exploit this remotely without authentication by tricking a user, such as an authenticated WordPress administrator, into visiting a malicious site or clicking a crafted link that submits a CSRF request. This injects and stores an XSS payload via the plugin's functionality, which then executes in the browser context of subsequent site visitors or users, potentially leading to session hijacking, data theft, or further site compromise. The low impacts on confidentiality, integrity, and availability reflect the scoped execution, but the stored nature amplifies persistence.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/twitterpost/vulnerability/wordpress-twitter-post-plugin-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS issue in Twitter Post plugin version 0.1 and serves as the primary reference for practitioners assessing exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3318
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in krolow Twitter Post twitterpost allows Stored XSS.This issue affects Twitter Post: from n/a through <= 0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE is a CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application). The stored XSS payload facilitates client-side JavaScript execution (T1059.007) and browser session hijacking (T1185) as described in the attack impacts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the CSRF-to-stored XSS flaw in the Twitter Post WordPress plugin.
Prevents CSRF exploitation by enforcing session authenticity mechanisms like anti-CSRF tokens on state-changing requests in the vulnerable plugin endpoints.
Blocks storage of malicious XSS payloads by validating and sanitizing all inputs submitted to the plugin's affected functionality.