Cyber Resilience

CVE-2025-25135

High

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 32.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25135 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25135 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Custom Links On Admin Dashboard Toolbar (slug: customize-wpadmin) by Victor Barkalov. The flaw enables Stored Cross-Site Scripting (XSS) and affects the plugin from unknown initial versions through 3.3. Published on 2025-02-07, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, though it requires user interaction such as an administrator visiting a malicious site or clicking a crafted link. Exploitation via CSRF tricks the victim into submitting a request that stores an XSS payload on the admin dashboard toolbar, potentially allowing attackers to execute scripts in the context of logged-in administrators for session hijacking or further compromise.

The Patchstack advisory provides details on this vulnerability in Custom Links On Admin Dashboard Toolbar version 3.3, including recommended mitigations: https://patchstack.com/database/Wordpress/Plugin/customize-wpadmin/vulnerability/wordpress-custom-links-on-admin-dashboard-toolbar-plugin-3-3-csrf-to-stored-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Victor Barkalov Custom Links On Admin Dashboard Toolbar customize-wpadmin allows Stored XSS.This issue affects Custom Links On Admin Dashboard Toolbar: from n/a through <= 3.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 exploitation of the app and facilitates T1185 browser session hijacking via arbitrary JavaScript execution (T1059.007) in admin context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26578Shared CWE-352
CVE-2025-30584Shared CWE-352
CVE-2025-23654Shared CWE-352
CVE-2025-28931Shared CWE-352
CVE-2025-23980Shared CWE-352
CVE-2025-23710Shared CWE-352
CVE-2025-23822Shared CWE-352
CVE-2025-25128Shared CWE-352
CVE-2025-23900Shared CWE-352
CVE-2025-31616Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mitigates CVE-2025-25135 by identifying, patching, and remediating the CSRF to Stored XSS flaw in the Custom Links On Admin Dashboard Toolbar plugin.

prevent

Prevents CSRF exploitation by enforcing session authenticity mechanisms such as anti-CSRF tokens on admin dashboard toolbar customization requests.

prevent

Blocks storage of malicious XSS payloads submitted via CSRF by validating and sanitizing custom link inputs in the WordPress plugin.

References