CVE-2025-23805
Published: 16 January 2025
Summary
CVE-2025-23805 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23805 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the SEOReseller Partner (sr-partner) WordPress plugin developed by itamarg. This issue affects all versions of the plugin from unknown initial release through 1.3.15. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
An unauthenticated network attacker can exploit this vulnerability by tricking an authenticated user into interacting with a maliciously crafted request, such as clicking a link or visiting a forged page. Exploitation requires low complexity but user interaction, and it changes scope to achieve low impacts across confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sr-partner/vulnerability/wordpress-seoreseller-partner-plugin-1-3-15-csrf-to-stored-xss-vulnerability?_s_id=cve details this as a CSRF-to-stored XSS vulnerability in SEOReseller Partner plugin version 1.3.15.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3437
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in itamarg SEOReseller Partner sr-partner allows Cross Site Request Forgery.This issue affects SEOReseller Partner: from n/a through <= 1.3.15.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF-to-stored XSS in public-facing WordPress plugin enables network exploitation of the app (T1190) via crafted malicious links that trick users into triggering the attack (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CSRF by enforcing mechanisms to protect session authenticity, such as anti-CSRF tokens, preventing forged requests in the SEOReseller Partner plugin.
Requires validation of information inputs, including CSRF tokens or origin checks, to block unauthorized state-changing requests exploited in this vulnerability.
Mandates timely flaw remediation, such as patching the SEOReseller Partner plugin versions through 1.3.15 to fix the CSRF-to-stored XSS vulnerability.