CVE-2025-23902
Published: 16 January 2025
Summary
CVE-2025-23902 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23902 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the WordPress plugin Error Notification developed by Taras Dashkevych. The plugin, known as error-notification, is affected in all versions up to and including 0.2.7. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
An unauthenticated attacker can exploit this CSRF vulnerability remotely with low attack complexity, though it requires user interaction, such as tricking an authenticated administrator into performing an action on a malicious site. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to forge requests on behalf of the victim.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/error-notification/vulnerability/wordpress-error-notification-plugin-0-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve) characterizes the issue as a CSRF leading to stored XSS in Error Notification version 0.2.7, providing details for practitioners to assess and address the flaw in affected WordPress environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3520
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification error-notification allows Cross Site Request Forgery.This issue affects Error Notification: from n/a through <= 0.2.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly maps to T1190 for exploitation of the app; requires tricking user via malicious site/link for T1204.001.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-23902 by identifying, reporting, and remediating the CSRF-to-stored-XSS flaw in the Error Notification plugin through timely patching or removal.
Prevents CSRF exploitation by enforcing session authenticity mechanisms, such as anti-CSRF tokens, to validate that requests originate from legitimate user sessions.
Addresses the stored XSS aspect of the CSRF vulnerability by validating and sanitizing inputs to block malicious payloads tricked into execution via forged requests.