CVE-2025-26768
Published: 16 February 2025
Summary
CVE-2025-26768 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26768 is a Cross-Site Request Forgery (CSRF) vulnerability in the what3words Address Field 3-word-address-validation-field WordPress plugin, which allows Stored XSS. The issue affects all versions from unknown (n/a) through 4.0.15. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and is associated with CWE-352.
Unauthenticated attackers (PR:N) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) by tricking authenticated users into performing actions via a malicious site, requiring user interaction (UI:R). Successful exploitation leads to Stored XSS with a scope change (S:C), enabling limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/3-word-address-validation-field/vulnerability/wordpress-what3words-address-field-plugin-4-0-15-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on the vulnerability, with mitigation implied by updating beyond version 4.0.15.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4241
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in what3words what3words Address Field 3-word-address-validation-field allows Stored XSS.This issue affects what3words Address Field: from n/a through <= 4.0.15.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications to inject stored XSS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces session authenticity mechanisms like CSRF tokens to prevent unauthenticated attackers from tricking authenticated users into submitting malicious requests that lead to stored XSS.
Validates and sanitizes inputs to the WordPress plugin to block malicious payloads from being stored and enabling XSS execution.
Filters and encodes information outputs to prevent stored malicious scripts from executing as XSS in users' browsers.