CVE-2025-23720
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Web Push WordPress plugin allows attackers to inject malicious scripts via stored XSS. This affects WordPress sites using the Web Push plugin versions up to 1.4.0. Attackers can trick authenticated administrators into executing actions that lead to persistent script injection.
💻 Affected Systems
- Mozilla Web Push WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that executes in administrators' browsers, potentially leading to site takeover, data theft, or malware distribution to visitors.
Likely Case
Attackers create fake admin interfaces or redirects to steal credentials or session cookies from administrators.
If Mitigated
With proper CSRF tokens and input validation, the attack chain is broken and no exploitation occurs.
🎯 Exploit Status
Requires social engineering to trick authenticated administrators into clicking malicious links while logged in.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.4.0
Vendor Advisory: https://patchstack.com/database/wordpress/plugin/web-push/vulnerability/wordpress-web-push-plugin-1-4-0-csrf-to-stored-xss-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Web Push' plugin. 4. Click 'Update Now' if update available. 5. If no update, deactivate and remove plugin until patch is released.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to all form submissions and state-changing actions in the plugin.
Input Validation and Sanitization
allEnsure all user inputs are properly validated and sanitized before storage and output.
🧯 If You Can't Patch
- Disable or remove the Web Push plugin immediately.
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Web Push version. If version is 1.4.0 or earlier, you are vulnerable.Check Version:
wp plugin list --name=web-push --field=versionVerify Fix Applied:
After updating, verify the plugin version is higher than 1.4.0 in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Web Push admin endpoints without referrer headers
- JavaScript injection patterns in plugin-related database entries
Network Indicators:
- CSRF attempts with malicious payloads targeting /wp-admin/admin-ajax.php or plugin-specific endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "web-push") AND (http_method="POST" AND referrer="")