Cyber Resilience

CVE-2025-25107

Critical

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25107 is a critical-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-25107 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the sainwp OneStore Sites WordPress plugin (onestore-sites). This issue affects all versions from n/a through 0.1.1 inclusive. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with high impacts across confidentiality, integrity, and availability.

An attacker can exploit this CSRF flaw remotely without authentication by tricking a victim—typically an authenticated WordPress administrator—into interacting with a malicious webpage, such as clicking a crafted link. This forces the victim's browser to submit unauthorized requests to the vulnerable plugin, enabling arbitrary plugin installation on the target site. Such installation could allow full site compromise, code execution, or further persistence, aligning with the vulnerability's high-impact CVSS metrics.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/onestore-sites/vulnerability/wordpress-onestore-sites-plugin-0-1-1-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) describes the flaw as a CSRF leading to arbitrary plugin installation in OneStore Sites version 0.1.1. Practitioners should review this reference for detailed technical analysis, affected configurations, and recommended mitigations, such as updating the plugin or implementing CSRF protections.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: from n/a through <= 0.1.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The CSRF vulnerability in the public-facing OneStore Sites WordPress plugin is directly exploited by tricking an authenticated admin into clicking a crafted malicious link (T1204.001), enabling unauthorized plugin installation that leads to code execution and site compromise (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2024-26153Shared CWE-352
CVE-2025-28860Shared CWE-352
CVE-2026-45430Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2026-23622Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms like CSRF tokens to prevent forged requests that exploit this vulnerability for arbitrary plugin installation.

prevent

SI-10 mandates validation of inputs to plugin endpoints, blocking unauthorized CSRF-submitted plugin installation requests.

prevent

CM-11 authorizes and monitors user-installed software, preventing the arbitrary plugin installation resulting from successful CSRF exploitation.

References