CVE-2025-25168
Published: 07 February 2025
Summary
CVE-2025-25168 is a high-severity CSRF (CWE-352) vulnerability in Blackandwhitedigital Bookpress. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25168 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin BookPress – For Book Authors, also referred to as Black and White BookPress – For Book Authors book-press, that enables Cross-Site Scripting (XSS). The issue affects the plugin from unknown initial versions through version 1.2.7 inclusive and is associated with CWE-352.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability can be exploited remotely by unauthenticated attackers with low complexity, though it requires user interaction. An attacker can craft a malicious webpage that, when visited by an authenticated user, tricks the browser into submitting a forged request to the vulnerable plugin endpoint, resulting in the storage of XSS payloads. This leads to low impacts on confidentiality, integrity, and availability, with a changed scope due to the potential for the stored XSS to affect other users viewing the injected content.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/book-press/vulnerability/wordpress-bookpress-for-book-authors-plugin-1-2-7-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, including potential mitigation or patch information for affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4071
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF vulnerability in a public-facing WordPress plugin that enables stored XSS, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-25168 by requiring timely remediation of the CSRF-to-stored-XSS flaw in the BookPress plugin through patching to version beyond 1.2.7.
Prevents CSRF exploitation by enforcing session authenticity, blocking forged requests that trick authenticated users into storing XSS payloads.
Validates and sanitizes plugin inputs to block malicious XSS payloads from being stored via the CSRF vector.