CVE-2025-25152
Published: 07 February 2025
Summary
CVE-2025-25152 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25152 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Smart DoFollow WordPress plugin developed by LukaszWiecek. This flaw enables Stored XSS and affects all versions of the plugin from its initial release through 1.0.2. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change despite needing user interaction.
Attackers can exploit this vulnerability remotely without authentication by tricking a legitimate user, such as an authenticated administrator, into performing a malicious action via a forged request. This leads to the storage of XSS payloads on the site, which execute in the victim's browser context when pages are loaded, potentially allowing limited compromise of confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/smart-dofollow/vulnerability/wordpress-smart-dofollow-plugin-1-0-2-csrf-to-stored-xss-vulnerability?_s_id=cve provides detailed information on the vulnerability, including potential mitigation steps for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4061
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in LukaszWiecek Smart DoFollow smart-dofollow allows Stored XSS.This issue affects Smart DoFollow: from n/a through <= 1.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms like anti-CSRF tokens, directly preventing forged requests that exploit this CSRF vulnerability to store XSS payloads.
SI-10 validates information inputs to block malicious XSS payloads from being accepted and stored through the CSRF-vulnerable endpoint in the WordPress plugin.
SI-15 filters system outputs to neutralize any stored XSS payloads, preventing their execution in victims' browsers even if injected via CSRF.