Cyber Resilience

CVE-2025-23902

High

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0010 28.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23902 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-23902 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the WordPress plugin Error Notification developed by Taras Dashkevych. The plugin, known as error-notification, is affected in all versions up to and including 0.2.7. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

An unauthenticated attacker can exploit this CSRF vulnerability remotely with low attack complexity, though it requires user interaction, such as tricking an authenticated administrator into performing an action on a malicious site. Exploitation changes the scope and enables limited impacts on confidentiality, integrity, and availability, potentially allowing the attacker to forge requests on behalf of the victim.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/error-notification/vulnerability/wordpress-error-notification-plugin-0-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve) characterizes the issue as a CSRF leading to stored XSS in Error Notification version 0.2.7, providing details for practitioners to assess and address the flaw in affected WordPress environments.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification error-notification allows Cross Site Request Forgery.This issue affects Error Notification: from n/a through <= 0.2.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF vulnerability in public-facing WordPress plugin directly maps to T1190 for exploitation of the app; requires tricking user via malicious site/link for T1204.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-23902 by identifying, reporting, and remediating the CSRF-to-stored-XSS flaw in the Error Notification plugin through timely patching or removal.

prevent

Prevents CSRF exploitation by enforcing session authenticity mechanisms, such as anti-CSRF tokens, to validate that requests originate from legitimate user sessions.

prevent

Addresses the stored XSS aspect of the CSRF vulnerability by validating and sanitizing inputs to block malicious payloads tricked into execution via forged requests.

References