Cyber Posture

CVE-2025-23922

Critical

Published: 16 January 2025

Published
16 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0372 88.1th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23922 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

SC-23 requires session authenticity protections such as anti-CSRF tokens, directly preventing exploitation of this CSRF vulnerability that enables unauthorized web shell uploads.

SI-10 Information Input Validation good match
prevent

SI-10 enforces validation and sanitization of inputs, blocking malicious web shell files from being uploaded through the vulnerable endpoint.

SI-3 Malicious Code Protection partial match
preventdetect

SI-3 deploys malicious code protection mechanisms to scan and prevent or detect web shell uploads on the web server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

CSRF in public-facing WordPress plugin directly enables arbitrary file upload of web shell, mapping to exploitation of public-facing application and web shell deployment for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.

Deeper analysisAI

CVE-2025-23922 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Harsh iSpring Embedder WordPress plugin (embed-ispring). It affects all versions from n/a through 1.0 inclusive and enables attackers to upload a web shell to the web server. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to full compromise potential across confidentiality, integrity, and availability with changed scope.

Unauthenticated attackers can exploit this issue remotely with low complexity and no required user interaction. By tricking a legitimate user or leveraging the CSRF mechanism, they can upload a web shell, achieving arbitrary file upload and likely remote code execution on the target web server.

The Patchstack advisory provides further details on this WordPress plugin vulnerability, available at https://patchstack.com/database/Wordpress/Plugin/embed-ispring/vulnerability/wordpress-ispring-embedder-plugin-1-0-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-352

CVEs Like This One

CVE-2024-13913Shared CWE-352
CVE-2026-39617Shared CWE-352
CVE-2026-39619Shared CWE-352
CVE-2025-11087Shared CWE-352
CVE-2026-33507Shared CWE-352
CVE-2025-2319Shared CWE-352
CVE-2025-23803Shared CWE-352
CVE-2025-25071Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-30615Shared CWE-352

References