CVE-2025-26572
Published: 13 February 2025
Summary
CVE-2025-26572 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26572 is a Cross-Site Request Forgery (CSRF) vulnerability, corresponding to CWE-352, in the jesseheap WP PHPList phplist-form-integration WordPress plugin. This issue affects all versions from n/a through 1.7 inclusive. Published on 2025-02-13, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
A remote, unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as tricking a victim into visiting a malicious site. Successful exploitation changes scope (S:C) and enables low-level impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing unauthorized actions on behalf of the authenticated user.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/phplist-form-integration/vulnerability/wordpress-wp-phplist-plugin-1-7-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-stored-XSS vulnerability in WP PHPList plugin version 1.7, including recommended mitigations such as updating to a patched version where available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4228
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in jesseheap WP PHPList phplist-form-integration allows Cross Site Request Forgery.This issue affects WP PHPList: from n/a through <= 1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF-to-stored-XSS vulnerability in the public-facing WordPress plugin directly enables initial access by exploiting a web application over the network, matching T1190: Exploit Public-Facing Application. The attack vector (network access with user interaction to trigger unauthorized actions) aligns precisely with this technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching the vulnerable WP PHPList plugin versions <=1.7 directly eliminates the CSRF-to-stored-XSS vulnerability as recommended by the advisory.
Mechanisms to protect session authenticity, such as CSRF tokens, directly prevent exploitation of the Cross-Site Request Forgery vulnerability by verifying legitimate request origins.
Information input validation sanitizes malicious payloads submitted via CSRF, mitigating the stored XSS impact resulting from the vulnerability.