CVE-2025-23713
Published: 16 January 2025
Summary
CVE-2025-23713 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23713 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "Hack me if you can" by artanik, which allows Stored XSS. This issue affects the plugin from n/a through version 1.2 and is associated with CWE-352.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction. Attackers can exploit it by tricking authenticated users into performing unintended actions via forged requests, leading to the storage of malicious XSS payloads that execute in other users' browsers.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/hack-me-if-you-can/vulnerability/wordpress-hack-me-if-you-can-plugin-1-2-csrf-to-stored-xss-vulnerability?_s_id=cve details the CSRF-to-Stored XSS vulnerability in the plugin version 1.2 and provides information on mitigation for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3366
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through <= 1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF-to-stored-XSS vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates and sanitizes inputs to prevent storage of malicious XSS payloads submitted via forged CSRF requests in the WordPress plugin.
Filters outputs to block execution of any stored XSS payloads originating from the CSRF vulnerability when viewed by other users.
Enforces session authenticity mechanisms like CSRF tokens to block unauthorized state-changing requests that store XSS payloads in the plugin.