CVE-2025-25160
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Style Tweaker plugin allows attackers to perform stored cross-site scripting (XSS) attacks. This affects WordPress administrators who can be tricked into clicking malicious links while authenticated. The vulnerability exists in all versions up to and including 0.11.
💻 Affected Systems
- WordPress Style Tweaker plugin
📦 What is this software?
Style Tweaker by Markbarnes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that executes in administrators' browsers, potentially leading to complete site takeover, data theft, or malware distribution to visitors.
Likely Case
Attackers create malicious admin actions (like adding malicious scripts to pages) by tricking authenticated administrators into visiting crafted pages.
If Mitigated
With proper CSRF protections and input validation, the attack chain would be broken before reaching the stored XSS component.
🎯 Exploit Status
Requires social engineering to trick authenticated administrators into performing actions via CSRF, which then leads to stored XSS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.11
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Style Tweaker' and update to latest version. 4. If no update is available, deactivate and remove the plugin.
🔧 Temporary Workarounds
Implement CSRF Protection
WordPressAdd nonce verification to all plugin forms and AJAX requests
Requires code modification: Add wp_nonce_field() to forms and check_admin_referer() or wp_verify_nonce() in processing
Input Sanitization
WordPressSanitize all user inputs and escape outputs using WordPress functions
Requires code modification: Use sanitize_text_field(), esc_html(), wp_kses() functions
🧯 If You Can't Patch
- Deactivate and remove the Style Tweaker plugin immediately
- Implement web application firewall (WAF) rules to block CSRF attempts and XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Style Tweaker version 0.11 or earlierCheck Version:
wp plugin list --name=style-tweaker --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm Style Tweaker is either removed or updated to version after 0.11📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php or plugin-specific endpoints without proper referrers/nonces
- Administrative actions from unexpected IP addresses or user agents
Network Indicators:
- CSRF attempts with missing or invalid nonce parameters
- JavaScript injection patterns in plugin-related requests
SIEM Query:
source="wordpress.log" AND ("style-tweaker" OR "admin-ajax.php") AND (POST AND NOT "_wpnonce=")