Cyber Resilience

CVE-2025-23990

High

Published: 31 January 2025

Published
31 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0014 34.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23990 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23990 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Scroll Styler WordPress plugin developed by jablonczay. This issue affects Scroll Styler versions from n/a through 1.1. The vulnerability was published on 2025-01-31 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and scope change with low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this CSRF vulnerability over the network by tricking authenticated users, such as WordPress administrators, into performing unintended actions via malicious requests, typically through user interaction like visiting a crafted webpage. Successful exploitation changes the scope of impact, potentially allowing limited disruption to confidentiality, integrity, and availability, with the Patchstack reference indicating it enables stored XSS in Scroll Styler version 1.1.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/scroll-styler/vulnerability/wordpress-scroll-styler-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve documents this CSRF-to-stored-XSS issue and serves as a key reference for mitigation details specific to the affected WordPress plugin.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in jablonczay Scroll Styler scroll-styler.This issue affects Scroll Styler: from n/a through <= 1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CSRF vulnerability in public-facing WordPress plugin directly enables T1190 Exploit Public-Facing Application; attack requires tricking users via crafted webpage, facilitating T1566.002 Spearphishing Link; stored XSS outcome noted but no further direct mappings.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3857Shared CWE-352
CVE-2024-37937Shared CWE-352
CVE-2026-44925Shared CWE-352
CVE-2025-30555Shared CWE-352
CVE-2026-34394Shared CWE-352
CVE-2024-37412Shared CWE-352
CVE-2024-47100Shared CWE-352
CVE-2025-26545Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2025-23572Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of the CSRF-to-stored-XSS flaw in Scroll Styler plugin versions <=1.1 directly prevents exploitation.

prevent

Mechanisms protecting session authenticity, such as anti-CSRF tokens, block unauthenticated attackers from forging requests that trick authenticated users into injecting stored XSS.

prevent

Validating information inputs for CSRF tokens and sanitizing plugin data prevents both forged requests and the resulting stored XSS execution.

References