CVE-2025-26545
Published: 13 February 2025
Summary
CVE-2025-26545 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific CSRF-to-stored XSS flaw in the vulnerable WordPress plugin by requiring identification, prioritization, and patching or removal.
Enforces session authenticity mechanisms like CSRF tokens to prevent unauthenticated attackers from tricking authenticated users into injecting XSS payloads via forged requests.
Validates information inputs to the plugin's related posts functionality, blocking malicious XSS payloads from being stored even if a CSRF request succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application). The attack requires tricking an admin via a malicious link or webpage, facilitating T1566.002 (Spearphishing Link). The resulting stored XSS payload executes in victim browsers to steal session cookies, enabling T1185 (Browser Session Hijacking).
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard related-posts-line-up-exactry-by-milliard allows Stored XSS.This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through <= 0.0.22.
Deeper analysisAI
CVE-2025-26545 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Related Posts Line-up-Exactly by Milliard (related-posts-line-up-exactry-by-milliard) that allows Stored Cross-Site Scripting (XSS). The issue affects all versions of the plugin from n/a through 0.0.22 inclusive. It is associated with CWE-352 and has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network-based exploitation with low complexity, no privileges required, user interaction needed, changed scope, and low impacts across confidentiality, integrity, and availability.
An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) by tricking an authenticated user, typically an administrator, into performing an unintended action via a malicious webpage or link (UI:R). This forged request injects and stores an XSS payload through the plugin's functionality, which executes in the browser context of subsequent users viewing affected pages, enabling potential theft of sensitive data like session cookies or further site compromise.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/related-posts-line-up-exactry-by-milliard/vulnerability/wordpress-related-posts-line-up-exactly-by-milliard-plugin-0-0-22-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-Stored XSS vulnerability in the Related Posts Line-up-Exactly by Milliard plugin version 0.0.22. Security practitioners should consult this reference for specific mitigation recommendations, such as applying available patches or removing the vulnerable plugin.
Details
- CWE(s)