CVE-2025-25135
Published: 07 February 2025
Summary
CVE-2025-25135 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25135 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Custom Links On Admin Dashboard Toolbar (slug: customize-wpadmin) by Victor Barkalov. The flaw enables Stored Cross-Site Scripting (XSS) and affects the plugin from unknown initial versions through 3.3. Published on 2025-02-07, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, though it requires user interaction such as an administrator visiting a malicious site or clicking a crafted link. Exploitation via CSRF tricks the victim into submitting a request that stores an XSS payload on the admin dashboard toolbar, potentially allowing attackers to execute scripts in the context of logged-in administrators for session hijacking or further compromise.
The Patchstack advisory provides details on this vulnerability in Custom Links On Admin Dashboard Toolbar version 3.3, including recommended mitigations: https://patchstack.com/database/Wordpress/Plugin/customize-wpadmin/vulnerability/wordpress-custom-links-on-admin-dashboard-toolbar-plugin-3-3-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4047
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Victor Barkalov Custom Links On Admin Dashboard Toolbar customize-wpadmin allows Stored XSS.This issue affects Custom Links On Admin Dashboard Toolbar: from n/a through <= 3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 exploitation of the app and facilitates T1185 browser session hijacking via arbitrary JavaScript execution (T1059.007) in admin context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-25135 by identifying, patching, and remediating the CSRF to Stored XSS flaw in the Custom Links On Admin Dashboard Toolbar plugin.
Prevents CSRF exploitation by enforcing session authenticity mechanisms such as anti-CSRF tokens on admin dashboard toolbar customization requests.
Blocks storage of malicious XSS payloads submitted via CSRF by validating and sanitizing custom link inputs in the WordPress plugin.