CVE-2025-23977
Published: 31 January 2025
Summary
CVE-2025-23977 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23977 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Bhaskar Dhote Post Carousel Slider WordPress plugin (post-carousel-slider) that enables Stored XSS. The vulnerability affects all versions from n/a through 2.0.1 and was published on 2025-01-31. It carries a CVSS v3.1 base score of 7.1 (High), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
The vulnerability can be exploited by any network-accessible attacker with low attack complexity, requiring no privileges but relying on user interaction, such as tricking an authenticated user into performing a malicious request. Exploitation changes the scope (S:C), allowing attackers to inject and store XSS payloads via CSRF, which can then execute in the context of other users viewing affected content, leading to low-level impacts on confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/post-carousel-slider/vulnerability/wordpress-post-carousel-slider-plugin-2-0-1-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3578
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Bhaskar Dhote Post Carousel Slider post-carousel-slider allows Stored XSS.This issue affects Post Carousel Slider: from n/a through <= 2.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing WordPress plugin allowing exploitation of public-facing applications (T1190). The CSRF to stored XSS directly enables injection and execution of arbitrary JavaScript payloads in the browsers of other users (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires mechanisms like CSRF tokens to protect session authenticity, directly preventing forged requests that exploit this CSRF vulnerability leading to stored XSS.
SI-10 enforces input validation to reject malicious XSS payloads that could be stored via the CSRF attack in the Post Carousel Slider plugin.
SI-15 applies output filtering and encoding to neutralize stored XSS payloads when affected carousel content is rendered for other users.