CVE-2025-24562
Published: 24 January 2025
Summary
CVE-2025-24562 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-24562 is a Cross-Site Request Forgery (CSRF) vulnerability in the Optimal Access KBucket WordPress plugin (kbucket) that allows Stored XSS. This issue affects KBucket versions from n/a through 4.1.6 and was published on 2025-01-24. It is associated with CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though user interaction is necessary. By tricking a victim—likely an authenticated user such as an administrator—into visiting a malicious site, an attacker can leverage CSRF to perform unauthorized actions that result in stored XSS payloads. Successful exploitation changes the scope and enables low-level impacts to confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/kbucket/vulnerability/wordpress-kbucket-plugin-4-1-6-csrf-to-stored-cross-site-scripting-vulnerability?_s_id=cve provides details on this CSRF to Stored XSS vulnerability in the WordPress KBucket plugin version 4.1.6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3770
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Optimal Access KBucket kbucket allows Stored XSS.This issue affects KBucket: from n/a through <= 4.1.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin exploited via malicious link to trigger unauthorized actions in victim's browser session.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, scanning, and timely remediation of flaws in vulnerable plugins like KBucket <=4.1.6.
Prevents CSRF exploitation leading to stored XSS by enforcing session authenticity mechanisms such as anti-CSRF tokens.
Mitigates stored XSS from CSRF-submitted payloads by validating information inputs to reject malicious scripts in the KBucket plugin.