CVE-2025-23694: Shabbos and Yom Tov CSRF Vulnerability

CVE-2025-23694 Overview

CVE-2025-23694 is a Cross-Site Request Forgery (CSRF) vulnerability in the Shabbos and Yom Tov WordPress plugin developed by shabboscommerce. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling malicious actors to inject persistent scripts into vulnerable WordPress sites by tricking authenticated administrators into performing unintended actions.

Critical Impact

Attackers can exploit this CSRF vulnerability to inject malicious JavaScript that persists in the application, potentially compromising all visitors to affected pages and enabling session hijacking, credential theft, or malware distribution.

Affected Products

• Shabbos and Yom Tov WordPress Plugin versions 1.9 and earlier
• WordPress sites with the shabbos-and-yom-tov plugin installed
• All configurations of the affected plugin versions

Discovery Timeline

• 2025-01-16 - CVE-2025-23694 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-23694

Vulnerability Analysis

This vulnerability represents a compound attack vector that chains Cross-Site Request Forgery (CSRF) with Stored Cross-Site Scripting (XSS). The Shabbos and Yom Tov plugin, which provides Jewish holiday scheduling functionality for WordPress sites, fails to implement proper CSRF token validation on forms that accept user input. This missing protection allows attackers to craft malicious requests that, when executed by an authenticated administrator, inject persistent JavaScript code into the plugin's stored data.

The stored XSS component makes this vulnerability particularly dangerous because the injected malicious script executes every time a user visits the affected page, creating a persistent attack surface. Since the attack targets administrative functionality, successful exploitation could lead to complete site compromise.

Root Cause

The root cause of this vulnerability is the absence of nonce verification (WordPress's CSRF protection mechanism) on sensitive plugin forms that process and store user-supplied data. WordPress provides built-in functions like wp_nonce_field() and wp_verify_nonce() to protect against CSRF attacks, but the Shabbos and Yom Tov plugin versions through 1.9 do not properly implement these security controls.

Additionally, the plugin fails to sanitize and escape output properly, allowing attacker-controlled JavaScript to be stored in the database and rendered without proper encoding when displayed to users.

Attack Vector

The attack is network-based and requires user interaction. An attacker must craft a malicious web page or email containing a hidden form that submits to the vulnerable plugin endpoint. When an authenticated WordPress administrator with plugin management permissions visits the attacker's page, the form is automatically submitted using the administrator's session cookies.

The attack flow typically follows this pattern:

1. Attacker identifies a vulnerable form endpoint in the Shabbos and Yom Tov plugin
2. Attacker creates a malicious page with an auto-submitting form containing XSS payload
3. Administrator is lured to the malicious page while logged into WordPress
4. Form submits automatically, storing the XSS payload in the plugin's data
5. All subsequent visitors to the affected page execute the malicious script

Detection Methods for CVE-2025-23694

Indicators of Compromise

• Unexpected JavaScript code appearing in plugin-managed content or settings
• Unusual administrative actions in WordPress audit logs that administrators don't recall performing
• Reports of browser security warnings or unexpected redirects from site visitors
• Modified plugin settings without corresponding administrative activity

Detection Strategies

• Review WordPress database tables associated with the Shabbos and Yom Tov plugin for suspicious script tags or JavaScript event handlers
• Monitor HTTP request logs for POST requests to plugin endpoints from external referrers
• Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
• Use WordPress security plugins that scan for stored XSS patterns in database content

Monitoring Recommendations

• Enable comprehensive logging for all WordPress administrative actions
• Configure web application firewall (WAF) rules to detect CSRF attack patterns and XSS payloads
• Implement real-time alerting for modifications to plugin settings or content
• Regularly audit plugin-stored data for unexpected HTML or JavaScript content

How to Mitigate CVE-2025-23694

Immediate Actions Required

• Update the Shabbos and Yom Tov plugin to the latest patched version if available
• If no patch is available, consider temporarily deactivating the plugin until a fix is released
• Review and sanitize any existing data stored by the plugin for malicious content
• Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules

Patch Information

Users should check the Patchstack WordPress Vulnerability Database for the latest patch status and remediation guidance. Contact the plugin developer at shabboscommerce for information on security updates addressing this vulnerability.

Workarounds

• Implement Content Security Policy (CSP) headers to prevent inline script execution
• Restrict administrative access to trusted IP addresses only
• Use a security plugin like Wordfence or Sucuri to add additional CSRF and XSS protection layers
• Limit the number of users with administrative privileges to reduce the attack surface

# Add Content Security Policy headers in .htaccess or nginx configuration
# Apache (.htaccess)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"

# Nginx (nginx.conf or site configuration)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;