Cyber Resilience

CVE-2025-31443

High

Published: 28 March 2025

Published
28 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0019 40.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31443 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-31443 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WordPress plugin KK I Like It (kk-i-like-it) developed by Krzysztof Furtak. This flaw enables Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 1.7.5.3. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change.

Unauthenticated attackers can exploit this vulnerability by crafting a malicious webpage that, when visited by an authenticated WordPress user, triggers a CSRF request to the vulnerable plugin endpoint. This user interaction results in the storage of an XSS payload on the site, which can then execute arbitrary JavaScript in the context of other users viewing affected pages, potentially leading to session hijacking, data theft, or further site compromise with low impacts across confidentiality, integrity, and availability.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version if available or applying protective measures like CSRF token validation. Security practitioners should consult the full advisory at https://patchstack.com/database/Wordpress/Plugin/kk-i-like-it/vulnerability/wordpress-kk-i-like-it-plugin-1-7-5-3-csrf-to-stored-xss-vulnerability?_s_id=cve for patch status and workaround guidance.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in Krzysztof Furtak KK I Like It kk-i-like-it allows Stored XSS.This issue affects KK I Like It: from n/a through <= 1.7.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

CSRF to stored XSS in public-facing WordPress plugin directly enables T1190; resulting arbitrary JS execution facilitates T1185 for session hijacking and data theft.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23900Shared CWE-352
CVE-2026-29784Shared CWE-352
CVE-2025-25140Shared CWE-352
CVE-2025-23567Shared CWE-352
CVE-2025-31444Shared CWE-352
CVE-2025-22690Shared CWE-352
CVE-2025-26577Shared CWE-352
CVE-2025-30587Shared CWE-352
CVE-2025-23501Shared CWE-352
CVE-2025-23426Shared CWE-352

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces session authenticity mechanisms like CSRF tokens to prevent unauthenticated attackers from tricking users into storing XSS payloads via forged requests.

prevent

Validates inputs to the vulnerable plugin endpoint to reject malicious XSS payloads delivered through CSRF exploitation.

prevent

Filters information outputs to neutralize stored XSS payloads from executing arbitrary JavaScript in users' browsers.

References