CVE-2025-23508
📋 TL;DR
This CSRF vulnerability in the WordPress Extra Options – Favicons plugin allows attackers to trick authenticated administrators into executing malicious actions, leading to stored cross-site scripting (XSS). Attackers can inject malicious scripts that execute in users' browsers when they visit compromised pages. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WordPress Extra Options – Favicons plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject persistent malicious scripts that steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for complete site compromise.
Likely Case
Attackers would typically inject scripts to steal session cookies or credentials, potentially gaining administrative access to the WordPress site.
If Mitigated
With proper CSRF protections and content security policies, the attack would be blocked before reaching the vulnerable endpoint.
🎯 Exploit Status
Exploitation requires social engineering to trick an administrator into clicking a malicious link while authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.1.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Extra Options – Favicons'. 4. Click 'Update Now' if available, or delete and install latest version from WordPress repository.
🔧 Temporary Workarounds
Implement CSRF Protection
WordPressAdd nonce verification to plugin forms and AJAX requests
Add wp_nonce_field() to forms and check with wp_verify_nonce()
Content Security Policy
allImplement CSP headers to restrict script execution
Add 'Content-Security-Policy' header via .htaccess or web server config
🧯 If You Can't Patch
- Disable or remove the Extra Options – Favicons plugin entirely
- Implement strict access controls and monitor administrator account activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Extra Options – Favicons' version 1.1.0 or earlierCheck Version:
wp plugin list --name='extra-options-favicons' --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.1.0 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with favicon-related actions
- Multiple failed nonce verification attempts
Network Indicators:
- Unexpected iframe or script tags in favicon settings
- External script loading from unusual domains in favicon-related pages
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "favicon") AND status=200