Cyber Resilience

CVE-2025-25168

High

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0005 17.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25168 is a high-severity CSRF (CWE-352) vulnerability in Blackandwhitedigital Bookpress. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25168 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin BookPress – For Book Authors, also referred to as Black and White BookPress – For Book Authors book-press, that enables Cross-Site Scripting (XSS). The issue affects the plugin from unknown initial versions through version 1.2.7 inclusive and is associated with CWE-352.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity, though it requires user interaction. An attacker can craft a malicious webpage that, when visited by an authenticated user, tricks the browser into submitting a forged request to the vulnerable plugin endpoint, resulting in the storage of XSS payloads. This leads to low impacts on confidentiality, integrity, and availability, with a changed scope due to the potential for the stored XSS to affect other users viewing the injected content.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including potential mitigation or patch information for affected installations.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables stored XSS, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25167Same product: Blackandwhitedigital Bookpress
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352

Affected Assets

blackandwhitedigital
bookpress
≤ 1.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-25168 by requiring timely remediation of the CSRF-to-stored-XSS flaw in the BookPress plugin through patching to version beyond 1.2.7.

prevent

Prevents CSRF exploitation by enforcing session authenticity, blocking forged requests that trick authenticated users into storing XSS payloads.

prevent

Validates and sanitizes plugin inputs to block malicious XSS payloads from being stored via the CSRF vector.

References