CVE-2025-23871
Published: 16 January 2025
Summary
CVE-2025-23871 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms such as anti-CSRF tokens, directly preventing forged cross-site requests that exploit this CSRF vulnerability in the WordPress plugin.
SI-2 ensures timely identification, reporting, and remediation of flaws like CVE-2025-23871 by patching the vulnerable LSD Google Maps Embedder plugin.
SI-10 validates and sanitizes untrusted inputs submitted via CSRF, mitigating the chained stored XSS impact from malicious payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote CSRF vulnerability in a public-facing WordPress plugin that leads to stored XSS, directly enabling T1190 (Exploit Public-Facing Application) and T1059.007 (JavaScript execution via injected scripts).
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder lsd-google-maps-embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through <= 1.1.
Deeper analysisAI
CVE-2025-23871 is a Cross-Site Request Forgery (CSRF) vulnerability in the Bas Matthee LSD Google Maps Embedder WordPress plugin (lsd-google-maps-embedder). The issue affects all versions up to and including 1.1, as classified under CWE-352. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low complexity, lack of required privileges, and scope change.
Unauthenticated attackers can exploit this vulnerability remotely by tricking authenticated users (such as site administrators) into performing unintended actions via a malicious webpage, requiring user interaction like clicking a link. Successful exploitation enables CSRF leading to stored cross-site scripting (XSS), allowing limited impacts on confidentiality, integrity, and availability, such as injecting malicious scripts that persist on the site.
The Patchstack advisory details this as a CSRF-to-stored-XSS vulnerability in the plugin version 1.1 and provides information on patches or mitigations available through their database. Security practitioners should update to a patched version of the LSD Google Maps Embedder plugin if available, and apply general CSRF protections like token validation in WordPress environments.
Details
- CWE(s)