CVE-2025-23884 - Vulnerability Details

- WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through <= 2.1.1.

Published: 2025-01-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Annie plugin contains a CSRF vulnerability that can be abused to store malicious client‑side script in the site content. By forcing an authenticated user to submit a forged request, an attacker can create persistent XSS that runs in the browser of anyone who later views the affected page. The weakness is a classic lack of CSRF protection that results in stored cross‑site scripting, classified as CWE‑352.

Affected Systems

This issue affects the Chris Roberts Annie WordPress plugin in all releases up to and including version 2.1.1. Site administrators who keep the plugin at these or earlier versions should be aware of the potential risk.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is below 1%, suggesting that, although high severity, the likelihood of exploitation at present is low. The vulnerability is not listed in the CISA KEV catalog. The attack requires the victim to be logged in or have a privileged role and to visit a crafted URL that forces the forged request, so an attacker with access to the user’s browser or the ability to embed the malicious link in emails or other content could exploit it. The attacker could leverage the CSRF to inject persistent JavaScript, compromising the confidentiality, integrity, or availability of the site for all users. Mitigation is most effectively achieved by patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Chris Roberts

Annie

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Annie plugin to a version newer than 2.1.1, where the CSRF and XSS issue is fixed.
If an upgrade cannot be performed immediately, deactivate or delete the plugin to prevent further injection.
As an interim measure, block all external requests to the plugin’s admin‑ajax.php endpoint or configure a web application firewall to reject CSRF requests targeting Annie until the patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3502	Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00197.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.	Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through <= 2.1.1.
References	https://patchstack.com/database/wordpress/plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 17 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 20:30:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Chris Roberts Annie allows Cross Site Request Forgery.This issue affects Annie: from n/a through 2.1.1.
Title		WordPress Annie plugin <= 2.1.1 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/annie/vulnerability/wordpress-annie-plugin-2-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-16T20:07:40.841Z

Updated: 2026-04-28T16:11:23.799Z

Reserved: 2025-01-16T11:31:35.915Z

Link: CVE-2025-23884

Vulnrichment

Updated: 2025-01-17T21:51:37.335Z

NVD

Status : Deferred

Published: 2025-01-16T21:15:29.730

Modified: 2026-06-17T08:57:40.387

Link: CVE-2025-23884

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T20:30:05Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object