CVE-2025-23806
Published: 22 January 2025
Summary
CVE-2025-23806 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23806 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ultimate Subscribe WordPress plugin developed by ThemeFarmer, which enables Reflected Cross-Site Scripting (XSS). The flaw, associated with CWE-352, affects all versions of the plugin up to and including 1.3.
A remote unauthenticated attacker can exploit this vulnerability by tricking an authenticated user into performing a state-changing action via a forged request from a malicious site, such as clicking a crafted link. This leads to reflected XSS execution in the victim's browser context. Exploitation requires user interaction, has low attack complexity, and results in low impacts to confidentiality, integrity, and availability with a changed scope, earning a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory documents this CSRF-to-Reflected XSS issue in Ultimate Subscribe version 1.3 and provides details on the vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/ultimate-subscribe/vulnerability/wordpress-ultimate-subscribe-plugin-1-3-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3438
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFarmer Ultimate Subscribe ultimate-subscribe allows Reflected XSS.This issue affects Ultimate Subscribe: from n/a through <= 1.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln in public-facing WordPress plugin directly enables exploitation of the application (T1190); leads to reflected XSS enabling arbitrary JavaScript execution in victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing the CSRF-to-reflected XSS vulnerability in the Ultimate Subscribe plugin by mandating patching.
SC-23 enforces session authenticity mechanisms like anti-CSRF tokens, preventing forged cross-site requests that trigger the vulnerability.
SI-15 mandates output filtering and validation, blocking execution of reflected XSS payloads delivered via the CSRF exploit.