Cyber Resilience

CVE-2025-23797

Critical

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 57.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23797 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-23797 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the WP Options Editor plugin (wp-options-editor) developed by Mike Selander for WordPress. The flaw allows privilege escalation and affects all versions from unknown initial release through 1.1 inclusive. Published on 2025-01-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by unauthenticated attackers accessible over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, specifically through privilege escalation on affected WordPress sites running the vulnerable plugin.

Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-options-editor/vulnerability/wordpress-wp-options-editor-plugin-1-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Mike Selander WP Options Editor wp-options-editor allows Privilege Escalation.This issue affects WP Options Editor: from n/a through <= 1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a remote CSRF vulnerability in a public-facing WordPress plugin that allows unauthenticated network attackers to achieve privilege escalation with no user interaction, directly enabling T1190 (exploiting public-facing applications for initial access) and T1068 (exploitation for privilege escalation to gain higher permissions).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23532Shared CWE-352
CVE-2025-25928Shared CWE-352
CVE-2025-27012Shared CWE-352
CVE-2025-26206Shared CWE-352
CVE-2026-33649Shared CWE-352
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific CSRF flaw in the WP Options Editor plugin through timely identification, reporting, and patching.

prevent

Enforces session authenticity with unique identifiers or cryptographic mechanisms to block forged cross-site requests enabling privilege escalation.

prevent

Validates information inputs at system boundaries to detect and reject malformed or forged CSRF requests targeting privilege escalation.

References