CVE-2025-23810
Published: 16 January 2025
Summary
CVE-2025-23810 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23810 is a Cross-Site Request Forgery (CSRF) vulnerability in the Len Slider WordPress plugin by Igor Sazonov, which allows Reflected Cross-Site Scripting (XSS). This issue affects Len Slider versions from n/a through 2.0.11 and is associated with CWE-352.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no required privileges, but it necessitates user interaction. Exploitation enables reflected XSS through CSRF, achieving low impacts on confidentiality, integrity, and availability with a changed scope, as reflected in its CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory documents this CSRF to reflected XSS vulnerability in WordPress Len Slider plugin 2.0.11 and provides details on mitigation, available at https://patchstack.com/database/Wordpress/Plugin/len-slider/vulnerability/wordpress-len-slider-plugin-2-0-11-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3442
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Igor Sazonov Len Slider len-slider allows Reflected XSS.This issue affects Len Slider: from n/a through <= 2.0.11.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated vulnerability in a public-facing WordPress plugin that can be directly exploited to achieve reflected XSS via CSRF, mapping to initial access through exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms to protect session authenticity, such as anti-CSRF tokens, directly preventing the CSRF exploitation that leads to reflected XSS in this vulnerability.
SI-15 mandates filtering of information outputs, preventing reflected XSS payloads from malicious CSRF requests from executing in the victim's browser.
SI-10 enforces validation of information inputs, blocking acceptance and reflection of malicious payloads exploited via CSRF in this vulnerability.