CVE-2025-31566
Published: 31 March 2025
Summary
CVE-2025-31566 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-31566 is a Cross-Site Request Forgery (CSRF) vulnerability in the riosisgroup Rio Video Gallery WordPress plugin (rio-video-gallery) that enables Stored Cross-Site Scripting (XSS). This issue affects all versions of the plugin from n/a through 2.3.6 inclusive. The vulnerability is classified under CWE-352 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability without privileges by tricking an authenticated user into interacting with a malicious site, such as by visiting a crafted webpage. The CSRF request would then store an XSS payload on the target WordPress site, allowing arbitrary JavaScript execution in the context of the site for subsequent visitors, including administrators or other users.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/rio-video-gallery/vulnerability/wordpress-rio-video-gallery-plugin-2-3-6-csrf-to-stored-xss-vulnerability?_s_id=cve provides details on this WordPress Rio Video Gallery plugin vulnerability in version 2.3.6. Security practitioners should consult this reference for any recommended patches or mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8822
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in riosisgroup Rio Video Gallery rio-video-gallery allows Stored XSS.This issue affects Rio Video Gallery: from n/a through <= 2.3.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a CSRF in a public-facing WordPress plugin directly enabling T1190 (Exploit Public-Facing Application). It facilitates stored XSS allowing arbitrary JavaScript execution in visitors' browsers, mapping to T1059.007 (JavaScript).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms such as anti-CSRF tokens, directly preventing unauthorized requests that store XSS payloads via CSRF in the Rio Video Gallery plugin.
SI-10 requires validation of all information inputs, blocking malicious XSS payloads from being stored in the video gallery due to inadequate sanitization.
SI-2 mandates identification, testing, and installation of software updates, directly addressing the flaw in Rio Video Gallery versions through <=2.3.6.