CVE-2025-25156
Published: 07 February 2025
Summary
CVE-2025-25156 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25156 is a Cross-Site Request Forgery (CSRF) vulnerability in the Quote Comments WordPress plugin developed by Stanko Metodiev, which enables Stored Cross-Site Scripting (XSS). The flaw affects all versions of the Quote Comments plugin from unknown initial release through version 3.0.0 inclusive, as documented under CWE-352.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) by tricking a victim user into performing an unintended action via a malicious webpage, with low attack complexity (AC:L) but requiring user interaction (UI:R). Exploitation submits a CSRF request that stores an XSS payload, achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) while changing scope (S:C), resulting in a CVSS v3.1 base score of 7.1.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/quote-comments/vulnerability/wordpress-quote-comments-plugin-2-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve details the vulnerability in the Quote Comments plugin. Security practitioners should consult this reference for mitigation guidance, such as updating to a non-vulnerable version beyond 3.0.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4065
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments quote-comments allows Stored XSS.This issue affects Quote Comments: from n/a through <= 3.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin directly enables exploitation of the web application (T1190) and facilitates arbitrary JavaScript execution in victim browsers via the injected XSS payload (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and timely remediation of the CSRF-to-stored XSS flaw in the Quote Comments plugin through patching.
Prevents CSRF exploitation leading to stored XSS by enforcing session authenticity mechanisms such as anti-CSRF tokens or challenge-response.
Mitigates stored XSS resulting from CSRF by validating information inputs to block malicious XSS payloads in the plugin.