CVE-2025-23884
Published: 16 January 2025
Summary
CVE-2025-23884 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23884 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Annie WordPress plugin developed by Chris Roberts. This issue affects Annie from unknown initial versions through version 2.1.1. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), highlighting its potential for cross-site exploitation with changed scope.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, requiring only user interaction such as tricking a victim into visiting a malicious webpage. Successful CSRF exploitation enables the attacker to perform unauthorized actions on behalf of the authenticated user, potentially leading to low impacts on confidentiality, integrity, and availability.
The Patchstack advisory details this as a CSRF-to-stored-XSS vulnerability in WordPress Annie plugin version 2.1.1, providing vulnerability assessment and recommendations for affected sites. Security practitioners should consult the advisory at https://patchstack.com/database/Wordpress/Plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve for mitigation guidance, including plugin updates where available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3502
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through <= 2.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF-to-stored-XSS in public-facing WordPress plugin exploited remotely via malicious link requiring user interaction to perform unauthorized actions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the CSRF vulnerability in the Annie WordPress plugin.
Enforces session authenticity mechanisms such as anti-CSRF tokens to prevent unauthorized actions via forged requests on behalf of authenticated users.
Requires validation of information inputs, including CSRF tokens, to block exploitation of the cross-site request forgery vulnerability.