Cyber Resilience

CVE-2025-23823

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0014 33.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23823 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23823 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the CNZZ&51LA for WordPress plugin (cnzz51la-for-wordpress). This issue affects the plugin from unknown initial versions through version 1.0.1. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting high severity due to network accessibility, low complexity, no required privileges, and changed scope despite needing user interaction.

Attackers can exploit this CSRF flaw without privileges by crafting malicious webpages or links that trick authenticated WordPress users (with appropriate access to the plugin) into unwittingly submitting forged requests. Exploitation requires the victim to interact, such as visiting a malicious site while logged in. Successful attacks can result in low impacts to confidentiality, integrity, and availability, potentially enabling unauthorized actions within the plugin's scope.

The Patchstack advisory provides further details on mitigation, describing the issue as a CSRF-to-stored-XSS vulnerability in version 1.0.1; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/cnzz51la-for-wordpress/vulnerability/wordpress-cnzz-51la-for-wordpress-plugin-1-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve for patch information and remediation steps.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in jprintf CNZZ&51LA for WordPress cnzz51la-for-wordpress allows Cross Site Request Forgery.This issue affects CNZZ&51LA for WordPress: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) via forged requests from malicious links/pages, leading to unauthorized actions and stored XSS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CSRF-to-stored-XSS vulnerability by identifying, reporting, and remediating flaws in the CNZZ&51LA WordPress plugin through timely patching.

prevent

Protects session authenticity with mechanisms like CSRF tokens to prevent forged requests from tricking authenticated users into unauthorized plugin actions.

prevent

Validates information inputs at plugin endpoints to block malicious forged CSRF requests that could lead to stored XSS.

References