CVE-2025-23749
Published: 16 January 2025
Summary
CVE-2025-23749 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23749 is a Cross-Site Request Forgery (CSRF) vulnerability in the progpars.net mybb Last Topics (mybb-last-topics) WordPress plugin that allows Stored XSS. This issue affects mybb Last Topics versions from n/a through 1.0 inclusive, as identified under CWE-352. The vulnerability was published on 2025-01-16 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. By tricking a victim into performing a state-changing action via a forged request, attackers can inject and store malicious XSS payloads, enabling subsequent execution in users' browsers and resulting in low impacts to confidentiality, integrity, and availability with a changed scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mybb-last-topics/vulnerability/wordpress-mybb-last-topics-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF-to-Stored XSS issue in the mybb-last-topics WordPress plugin version 1.0 and provides details relevant to mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3387
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in progpars.net mybb Last Topics mybb-last-topics allows Stored XSS.This issue affects mybb Last Topics: from n/a through <= 1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a CSRF leading to stored XSS in a public-facing WordPress plugin, directly enabling remote exploitation of the application (T1190) and subsequent arbitrary JavaScript execution in victims' browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms such as anti-CSRF tokens, directly preventing forged requests that enable storage of XSS payloads in this vulnerability.
SI-10 requires validation of all information inputs, blocking malicious XSS payloads from being accepted and stored via the CSRF vector in the plugin.
SI-15 mandates filtering of outputs to external destinations, preventing execution of any stored XSS payloads injected through the CSRF vulnerability.