CVE-2025-23712
Published: 16 January 2025
Summary
CVE-2025-23712 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23712 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Kapost Byline WordPress plugin developed by kapostintegrations. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 2.2.9. The vulnerability was published on 2025-01-16.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the issue allows network-accessible exploitation with low complexity and no required privileges, though it demands user interaction and results in a changed scope. An unauthenticated attacker can trick an authenticated user into submitting a forged request via a malicious webpage, leading to the storage of malicious scripts that execute in the victim's browser context and potentially affect other users viewing the injected content.
Patchstack has issued an advisory documenting the CSRF-to-Stored XSS vulnerability in the Kapost Byline WordPress plugin versions up to 2.2.9, available at https://patchstack.com/database/Wordpress/Plugin/kapost-byline/vulnerability/wordpress-kapost-plugin-2-2-9-csrf-to-stored-xss-vulnerability?_s_id=cve. Security practitioners should consult this reference for detailed mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3365
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in kapostintegrations Kapost kapost-byline allows Stored XSS.This issue affects Kapost: from n/a through <= 2.2.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored XSS vulnerability in a public-facing WordPress plugin directly enables remote exploitation of an Internet-facing application to inject and execute malicious scripts in users' browsers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and correcting the CSRF-to-Stored XSS flaw in the Kapost Byline WordPress plugin through timely patching.
Enforces session authenticity to prevent unauthenticated attackers from tricking authenticated users into submitting forged CSRF requests that store malicious scripts.
Validates and sanitizes user inputs to block the storage of malicious JavaScript payloads exploited via the CSRF vulnerability.