CVE-2025-23745 Overview
CVE-2025-23745 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WordPress "Call me Now" plugin developed by Tussendoor B.V. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling persistent malicious script injection into vulnerable WordPress sites. When exploited, attackers can perform unauthorized actions on behalf of authenticated users and inject malicious scripts that execute whenever users visit affected pages.
Critical Impact
This CSRF-to-Stored-XSS vulnerability chain allows unauthenticated attackers to inject persistent malicious scripts into WordPress sites by tricking administrators into clicking crafted links, potentially leading to session hijacking, credential theft, and full site compromise.
Affected Products
- WordPress Call me Now plugin version 1.0.5 and earlier
- All WordPress installations using the vulnerable Call me Now plugin
- Sites with unauthenticated access to plugin settings endpoints
Discovery Timeline
- 2025-01-16 - CVE-2025-23745 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23745
Vulnerability Analysis
This vulnerability represents a dangerous attack chain combining two distinct web application weaknesses. The Call me Now WordPress plugin fails to implement proper CSRF token validation on state-changing requests, allowing attackers to craft malicious requests that execute in the context of authenticated administrators. When combined with insufficient output encoding, this results in a Stored XSS condition where injected JavaScript persists in the database and executes for all users viewing the affected content.
The attack requires no prior authentication, though it does require user interaction—specifically, an administrator must be tricked into clicking a malicious link or visiting an attacker-controlled page while logged into the WordPress dashboard. The scope is changed (S:C in CVSS terms), meaning the vulnerability can impact resources beyond its security scope, affecting the confidentiality, integrity, and availability of the broader WordPress installation.
Root Cause
The root cause stems from two security control failures within the Call me Now plugin:
Missing CSRF Protection: The plugin does not validate WordPress nonces or implement other anti-CSRF mechanisms on form submissions or AJAX endpoints that modify plugin settings. This allows cross-origin requests to execute privileged actions.
Insufficient Output Sanitization: User-supplied input is stored in the database without proper sanitization and later rendered without adequate encoding, allowing HTML and JavaScript injection that persists across page loads.
Attack Vector
The attack is network-based and follows this exploitation flow:
Reconnaissance: Attacker identifies a WordPress site running a vulnerable version of the Call me Now plugin (<= 1.0.5)
Payload Crafting: Attacker creates a malicious HTML page containing a hidden form or JavaScript that submits a request to the vulnerable endpoint with XSS payload
Social Engineering: Attacker tricks a logged-in WordPress administrator into visiting the malicious page through phishing emails, forum posts, or other deceptive means
CSRF Execution: The victim's browser automatically submits the forged request using the administrator's session cookies
XSS Storage: The malicious JavaScript payload is stored in the WordPress database through the unprotected endpoint
Persistent Exploitation: All subsequent visitors to affected pages execute the stored XSS payload, which can steal cookies, redirect users, inject content, or perform additional malicious actions
The vulnerability mechanism exploits the lack of anti-CSRF tokens on plugin settings forms. When an administrator visits a malicious page, their browser sends a cross-origin request containing modified plugin settings with embedded JavaScript. Without nonce verification, WordPress accepts this request as legitimate. The malicious script is then stored and executed whenever the affected plugin output is rendered on the frontend or backend.
For detailed technical analysis, refer to the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-23745
Indicators of Compromise
- Unexpected modifications to Call me Now plugin settings or stored data
- JavaScript code or HTML tags appearing in plugin configuration fields
- Web server logs showing POST requests to plugin endpoints from external referrers
- Reports of unexpected redirects or pop-ups on pages containing Call me Now widget
Detection Strategies
- Review WordPress audit logs for plugin setting changes made without corresponding admin panel access
- Implement Content Security Policy headers and monitor for CSP violation reports indicating XSS execution attempts
- Deploy Web Application Firewall (WAF) rules to detect and block cross-site request forgery patterns and XSS payloads in plugin endpoints
- Use WordPress security plugins that scan for stored XSS patterns in database content
Monitoring Recommendations
- Enable and monitor WordPress debug logging for unexpected plugin configuration changes
- Configure alerts for HTTP POST requests to call-me-now plugin endpoints with external or missing Referer headers
- Implement real-time monitoring for JavaScript execution from untrusted sources within WordPress pages
- Regularly audit plugin database entries for suspicious script content or encoded payloads
How to Mitigate CVE-2025-23745
Immediate Actions Required
- Update the Call me Now plugin to a patched version immediately if available from the vendor
- Deactivate and remove the Call me Now plugin if no patch is available and the functionality is non-essential
- Review plugin settings and database entries for signs of injected malicious content
- Audit WordPress access logs for suspicious plugin-related requests from unexpected sources
- Force logout all WordPress administrator sessions and rotate admin credentials
Patch Information
Check the WordPress plugin repository for updated versions of the Call me Now plugin that address this CSRF and Stored XSS vulnerability. If no official patch is available, consider implementing the workarounds below or finding an alternative plugin. Monitor the Patchstack Vulnerability Report for updates on remediation status.
Workarounds
- Restrict WordPress admin access to trusted IP addresses only using .htaccess or hosting firewall rules
- Implement additional WAF rules to validate CSRF tokens and block suspicious POST requests to plugin endpoints
- Disable the Call me Now plugin until an official security patch is released
- Apply manual CSRF protection by adding nonce verification to the plugin's form handlers if you have development capabilities
# WordPress .htaccess - Restrict wp-admin access to trusted IPs
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin [NC]
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.100$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
