CVE-2025-23749
📋 TL;DR
This vulnerability in the Mahdi Khaksar mybb Last Topics WordPress plugin allows attackers to perform Cross-Site Request Forgery (CSRF) attacks that lead to Stored Cross-Site Scripting (XSS). Attackers can trick authenticated administrators into executing malicious actions that inject persistent scripts into the website. All users of the plugin version 1.0 are affected.
💻 Affected Systems
- Mahdi Khaksar mybb Last Topics WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, defaces the website, redirects visitors to malicious sites, or installs backdoors for persistent access.
Likely Case
Attackers would typically use this to inject adware, cryptocurrency miners, or credential-stealing scripts that affect all visitors to the compromised WordPress site.
If Mitigated
With proper CSRF tokens and input validation, the attack chain would be broken at the initial CSRF stage, preventing the XSS payload from being stored.
🎯 Exploit Status
Exploitation requires tricking an authenticated administrator into clicking a malicious link or visiting a compromised page. The CSRF leads to stored XSS, making the attack persistent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - plugin appears abandoned
Restart Required: No
Instructions:
1. Remove the mybb Last Topics plugin from your WordPress installation. 2. Delete the plugin files from /wp-content/plugins/mybb-last-topics/. 3. Consider using alternative plugins for similar functionality.
🔧 Temporary Workarounds
Implement CSRF Protection
WordPressAdd nonce verification to all plugin forms and AJAX endpoints to prevent CSRF attacks.
Requires modifying plugin PHP files to add wp_nonce_field() and wp_verify_nonce() calls
Enable WordPress Security Plugins
WordPressUse security plugins like Wordfence or Sucuri that can detect and block XSS attempts.
🧯 If You Can't Patch
- Disable or remove the mybb Last Topics plugin immediately
- Restrict administrative access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if the plugin 'mybb Last Topics' version 1.0 is installed in WordPress admin panel under Plugins > Installed Plugins.Check Version:
wp plugin list --name=mybb-last-topics --field=version (if WP-CLI is installed)Verify Fix Applied:
Verify the plugin is no longer listed in WordPress admin or the plugin directory /wp-content/plugins/mybb-last-topics/ is removed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php involving mybb-last-topics
- JavaScript injection in database content related to the plugin
Network Indicators:
- HTTP requests with suspicious parameters to plugin endpoints from unexpected referrers
SIEM Query:
source="wordpress.log" AND ("mybb-last-topics" OR "admin-ajax.php" action=mybb) AND status=200