CVE-2025-25107
Published: 07 February 2025
Summary
CVE-2025-25107 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms like CSRF tokens to prevent forged requests that exploit this vulnerability for arbitrary plugin installation.
SI-10 mandates validation of inputs to plugin endpoints, blocking unauthorized CSRF-submitted plugin installation requests.
CM-11 authorizes and monitors user-installed software, preventing the arbitrary plugin installation resulting from successful CSRF exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF vulnerability in the public-facing OneStore Sites WordPress plugin is directly exploited by tricking an authenticated admin into clicking a crafted malicious link (T1204.001), enabling unauthorized plugin installation that leads to code execution and site compromise (T1190).
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: from n/a through <= 0.1.1.
Deeper analysisAI
CVE-2025-25107 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the sainwp OneStore Sites WordPress plugin (onestore-sites). This issue affects all versions from n/a through 0.1.1 inclusive. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with high impacts across confidentiality, integrity, and availability.
An attacker can exploit this CSRF flaw remotely without authentication by tricking a victim—typically an authenticated WordPress administrator—into interacting with a malicious webpage, such as clicking a crafted link. This forces the victim's browser to submit unauthorized requests to the vulnerable plugin, enabling arbitrary plugin installation on the target site. Such installation could allow full site compromise, code execution, or further persistence, aligning with the vulnerability's high-impact CVSS metrics.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/onestore-sites/vulnerability/wordpress-onestore-sites-plugin-0-1-1-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) describes the flaw as a CSRF leading to arbitrary plugin installation in OneStore Sites version 0.1.1. Practitioners should review this reference for detailed technical analysis, affected configurations, and recommended mitigations, such as updating the plugin or implementing CSRF protections.
Details
- CWE(s)