CVE-2025-26578
Published: 13 February 2025
Summary
CVE-2025-26578 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26578 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Simple Documentation WordPress plugin (client-documentation) developed by mathieuhays. This flaw allows for Stored Cross-Site Scripting (XSS) and affects all versions from unknown initial release through 1.2.8. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change despite needing user interaction.
Attackers can exploit this vulnerability remotely without authentication by tricking authenticated users into interacting with a malicious webpage or link that submits a forged request to the vulnerable plugin. This enables the injection and storage of XSS payloads, which execute in the context of other users viewing the affected documentation, potentially leading to session hijacking, data theft, or further site compromise with low impacts on confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/client-documentation/vulnerability/wordpress-simple-documentation-plugin-1-2-8-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this CSRF-to-stored-XSS issue in Simple Documentation version 1.2.8. Published on 2025-02-13, no specific patch details are outlined in available information, but updating beyond version 1.2.8 is implied for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4231
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation client-documentation allows Stored XSS.This issue affects Simple Documentation: from n/a through <= 1.2.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin enables T1190 (exploiting public app), T1059.007 (arbitrary JS execution via XSS payload), and T1185 (session hijacking via stolen cookies/data theft).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in Simple Documentation plugin versions <=1.2.8 by patching prevents CSRF exploitation leading to stored XSS.
Enforcing session authenticity with mechanisms like CSRF tokens blocks forged requests that inject XSS payloads into the plugin.
Validating inputs to the documentation endpoint prevents malicious XSS payloads from being stored via CSRF exploitation.