CVE-2025-25154

High

Published: 07 February 2025

Published

07 February 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 31.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25154 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires session authenticity mechanisms such as anti-CSRF tokens, directly addressing the insufficient CSRF protections in the Custom Comment Notifications plugin that enable storage of XSS payloads.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of inputs like comment or notification data, preventing injection of malicious XSS payloads exploited via the CSRF vulnerability.

SI-15 Information Output Filtering good match

prevent

SI-15 requires filtering and encoding of outputs when rendering comments or notifications, neutralizing any stored XSS payloads injected through the CSRF flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability in a public-facing WordPress plugin is exploited via CSRF triggered by a malicious/phishing link to achieve stored XSS, directly mapping to public-facing app exploitation and user interaction via malicious link.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Cross-Site Request Forgery (CSRF) vulnerability in scweber Custom Comment Notifications custom-comment-notifications allows Stored XSS.This issue affects Custom Comment Notifications: from n/a through <= 1.0.8.

Deeper analysisAI

CVE-2025-25154 is a Cross-Site Request Forgery (CSRF) vulnerability in the scweber Custom Comment Notifications WordPress plugin (custom-comment-notifications) that allows Stored XSS. The issue affects all versions from n/a through 1.0.8, as documented with CWE-352 and a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). Published on 2025-02-07, it enables attackers to exploit insufficient CSRF protections to inject persistent cross-site scripting payloads.

Unauthenticated attackers accessible over the network can exploit this vulnerability with low attack complexity by tricking a user—typically an authenticated administrator or editor—into interacting with a maliciously crafted request, such as via a phishing link or webpage. Successful exploitation changes the scope to high, allowing the storage of XSS payloads in comments or notifications, which execute in the context of other users viewing affected content, resulting in low impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/custom-comment-notifications/vulnerability/wordpress-custom-comment-notifications-plugin-1-0-8-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

CVEs Like This One

CVE-2025-26963Shared CWE-352

CVE-2025-23577Shared CWE-352

CVE-2026-28281Shared CWE-352

CVE-2025-23990Shared CWE-352

CVE-2025-26550Shared CWE-352

CVE-2025-23661Shared CWE-352

CVE-2026-25812Shared CWE-352

CVE-2026-39640Shared CWE-352

CVE-2025-25147Shared CWE-352

CVE-2025-25100Shared CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/custom-comment-notifications/vulnerability/wordpress-custom-comment-notifications-plugin-1-0-8-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com