CVE-2025-26570
Published: 13 February 2025
Summary
CVE-2025-26570 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-26570 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin Glance That (also referenced as glance-that). This issue affects versions from n/a through 4.9 and was published on 2025-02-13. It carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
An unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction. Exploitation changes the scope and can result in low-level impacts to confidentiality, integrity, and availability.
The primary advisory is available from Patchstack at https://patchstack.com/database/Wordpress/Plugin/glance-that/vulnerability/wordpress-glance-that-plugin-4-9-csrf-to-stored-xss-vulnerability?_s_id=cve, which details the CSRF-to-stored-XSS nature of the flaw and associated mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4226
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in uamv Glance That allows Cross Site Request Forgery. This issue affects Glance That: from n/a through 4.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF-to-stored-XSS vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications (T1190) and persistent JavaScript execution in the victim's browser context via stored XSS (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks (e.g., nonce/token validation) on state-changing requests, blocking the forged cross-site actions that define this CSRF vulnerability.
Requires mechanisms to bind requests to authentic sessions, preventing an attacker from successfully replaying or forging authenticated actions against the plugin.
Mandates validation of all inputs and request origins, enabling rejection of CSRF payloads that lack expected tokens or originate from untrusted sites.