Cyber Resilience

CVE-2025-25154

High

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0013 32.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25154 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25154 is a Cross-Site Request Forgery (CSRF) vulnerability in the scweber Custom Comment Notifications WordPress plugin (custom-comment-notifications) that allows Stored XSS. The issue affects all versions from n/a through 1.0.8, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Published on 2025-02-07, it enables attackers to exploit insufficient CSRF protections to inject persistent cross-site scripting payloads.

Unauthenticated attackers accessible over the network can exploit this vulnerability with low attack complexity by tricking a user—typically an authenticated administrator or editor—into interacting with a maliciously crafted request, such as via a phishing link or webpage. Successful exploitation changes the scope to high, allowing the storage of XSS payloads in comments or notifications, which execute in the context of other users viewing affected content, resulting in low impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-comment-notifications/vulnerability/wordpress-custom-comment-notifications-plugin-1-0-8-csrf-to-stored-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in scweber Custom Comment Notifications custom-comment-notifications allows Stored XSS.This issue affects Custom Comment Notifications: from n/a through <= 1.0.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

The vulnerability in a public-facing WordPress plugin is exploited via CSRF triggered by a malicious/phishing link to achieve stored XSS, directly mapping to public-facing app exploitation and user interaction via malicious link.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-47100Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2026-28281Shared CWE-352
CVE-2025-23577Shared CWE-352
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352
CVE-2026-3857Shared CWE-352
CVE-2024-26153Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms such as anti-CSRF tokens, directly addressing the insufficient CSRF protections in the Custom Comment Notifications plugin that enable storage of XSS payloads.

prevent

SI-10 mandates validation of inputs like comment or notification data, preventing injection of malicious XSS payloads exploited via the CSRF vulnerability.

prevent

SI-15 requires filtering and encoding of outputs when rendering comments or notifications, neutralizing any stored XSS payloads injected through the CSRF flaw.

References