CVE-2025-23660
Published: 16 January 2025
Summary
CVE-2025-23660 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23660 is a Cross-Site Request Forgery (CSRF) vulnerability in the MFPlugin WordPress plugin by waltercerrudo, designated as mfplugin. This issue affects all versions from n/a through 1.3 inclusive and enables Stored Cross-Site Scripting (XSS). It is classified under CWE-352 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity, requiring user interaction such as clicking a malicious link. By forging a CSRF request, an attacker tricks an authenticated user into submitting a request that stores an XSS payload, potentially compromising confidentiality, integrity, and availability at a low level with changed scope due to the cross-origin effects of stored XSS.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mfplugin/vulnerability/wordpress-mfplugin-plugin-1-3-csrf-to-cross-site-scripting-vulnerability?_s_id=cve documents the CSRF-to-XSS vulnerability specifically in MFPlugin version 1.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3324
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in waltercerrudo MFPlugin mfplugin allows Stored XSS.This issue affects MFPlugin: from n/a through <= 1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a vulnerability in a public-facing WordPress plugin that can be remotely exploited, directly mapping to T1190. The CSRF-to-stored-XSS chain enables arbitrary JavaScript execution in the browser context of authenticated users, mapping to T1059.007.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms like anti-CSRF tokens to directly prevent forged requests that store XSS payloads.
Validates and sanitizes inputs to block malicious XSS payloads from being stored via CSRF exploitation.
Filters information outputs to prevent execution of stored XSS payloads originating from the CSRF vulnerability.