CVE-2025-23577 - Vulnerability Details

- WordPress Word Freshener plugin <= 1.3 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3.

Published: 2025-01-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Cross‑Site Request Forgery flaw in the Word Freshener plugin allows an attacker to create a malicious request that stores arbitrary JavaScript in the site’s database. When an authenticated or unauthenticated user later views the affected content, the script executes in the user’s browser, leading to session hijacking or defacement. The weakness, classified as CWE‑352, signifies that the plugin does not properly verify that a request originates from a legitimate user context.

Affected Systems

The vulnerability affects all releases of the Word Freshener plugin up to and including version 1.3, as distributed by Sourov Amin. WordPress sites that have installed any of these versions and expose the plugin’s administrative interface are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The CVE is not listed in CISA’s KEV catalog, and no active exploits have been reported. Attackers would likely need to craft a forged HTTP request targeting the plugin’s submission endpoint; the impact depends on the visibility of the stored payload and whether other users view the compromised content. Mitigation remains prudent due to the severity of potential stored XSS.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Sourov Amin

Word Freshener

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Word Freshener plugin to a version newer than 1.3 that addresses the CSRF flaw.
If an upgrade is not possible, remove or disable the plugin entirely until a fix is available.
Apply a Web Application Firewall rule or other request‑level filtering to block or sanitize malformed CSRF requests that could inject script into the database.

Generated by OpenCVE AI on May 1, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3259	Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener allows Stored XSS.This issue affects Word Freshener: from n/a through 1.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00104.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener allows Stored XSS.This issue affects Word Freshener: from n/a through 1.3.	Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener word-freshener allows Stored XSS.This issue affects Word Freshener: from n/a through <= 1.3.
References	https://patchstack.com/database/wordpress/plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 17 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Word Freshener allows Stored XSS.This issue affects Word Freshener: from n/a through 1.3.
Title		WordPress Word Freshener plugin <= 1.3 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/word-freshener/vulnerability/wordpress-word-freshener-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-16T20:06:23.549Z

Updated: 2026-04-28T16:11:13.671Z

Reserved: 2025-01-16T11:26:29.091Z

Link: CVE-2025-23577

Vulnrichment

Updated: 2025-01-17T17:21:07.635Z

NVD

Status : Deferred

Published: 2025-01-16T20:15:40.877

Modified: 2026-04-23T15:24:04.840

Link: CVE-2025-23577

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T21:15:25Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object