CVE-2025-23990
Published: 31 January 2025
Summary
CVE-2025-23990 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and correction of the CSRF-to-stored-XSS flaw in Scroll Styler plugin versions <=1.1 directly prevents exploitation.
Mechanisms protecting session authenticity, such as anti-CSRF tokens, block unauthenticated attackers from forging requests that trick authenticated users into injecting stored XSS.
Validating information inputs for CSRF tokens and sanitizing plugin data prevents both forged requests and the resulting stored XSS execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application; attack requires tricking users via crafted webpage, facilitating T1566.002 Spearphishing Link; stored XSS outcome noted but no further direct mappings.
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in jablonczay Scroll Styler scroll-styler.This issue affects Scroll Styler: from n/a through <= 1.1.
Deeper analysisAI
CVE-2025-23990 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Scroll Styler WordPress plugin developed by jablonczay. This issue affects Scroll Styler versions from n/a through 1.1. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and scope change with low impacts across confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this CSRF vulnerability over the network by tricking authenticated users, such as WordPress administrators, into performing unintended actions via malicious requests, typically through user interaction like visiting a crafted webpage. Successful exploitation changes the scope of impact, potentially allowing limited disruption to confidentiality, integrity, and availability, with the Patchstack reference indicating it enables stored XSS in Scroll Styler version 1.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-styler/vulnerability/wordpress-scroll-styler-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF-to-stored-XSS issue and serves as a key reference for mitigation details specific to the affected WordPress plugin.
Details
- CWE(s)