CVE-2025-23749 Overview
CVE-2025-23749 is a Cross-Site Request Forgery (CSRF) vulnerability in the mybb Last Topics WordPress plugin developed by progpars.net. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling malicious actors to execute arbitrary JavaScript in the context of authenticated users' browsers. The vulnerability exists because the plugin fails to implement proper CSRF token validation, allowing attackers to trick administrators into performing unintended actions that inject persistent malicious scripts.
Critical Impact
Successful exploitation allows attackers to chain CSRF with Stored XSS, potentially leading to session hijacking, credential theft, administrative account takeover, and persistent malware injection on affected WordPress sites.
Affected Products
- mybb Last Topics WordPress Plugin version 1.0 and earlier
- WordPress installations using the vulnerable mybb-last-topics plugin
Discovery Timeline
- 2025-01-16 - CVE-2025-23749 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-23749
Vulnerability Analysis
This vulnerability combines two attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The mybb Last Topics plugin, which displays recent topics from MyBB forums on WordPress sites, fails to implement adequate CSRF protection on its administrative functions. When combined with insufficient input sanitization, this creates an attack chain where malicious scripts can be permanently stored in the database.
The attack flow begins when an authenticated administrator visits a malicious page containing a crafted form that auto-submits to the plugin's administrative endpoint. Since no CSRF token validation occurs, the request is processed as legitimate. The payload containing malicious JavaScript is then stored in the database and rendered to all subsequent visitors of the affected WordPress pages.
Root Cause
The root cause of this vulnerability is twofold:
Missing CSRF Token Validation (CWE-352): The plugin's administrative forms and AJAX endpoints do not verify WordPress nonces, allowing cross-origin requests to be processed without authentication context verification.
Insufficient Output Encoding: User-controlled input stored through the CSRF vector is not properly sanitized or escaped before being rendered in HTML context, enabling Stored XSS.
Attack Vector
The attack requires social engineering to lure an authenticated WordPress administrator to a malicious webpage. The attacker constructs a page containing a hidden form that automatically submits to the plugin's vulnerable endpoint. The form includes XSS payload data that will be stored in the WordPress database.
Once the administrator unknowingly triggers the CSRF attack by visiting the malicious page, the XSS payload becomes persistent. All users viewing pages where the mybb Last Topics widget or shortcode is displayed will have the malicious JavaScript executed in their browsers. This can lead to session token theft, keylogging, defacement, or further propagation of the attack.
Detection Methods for CVE-2025-23749
Indicators of Compromise
- Unexpected or suspicious JavaScript code in WordPress database tables related to the mybb Last Topics plugin
- Administrative actions logged without corresponding administrator sessions
- Unusual outbound requests from visitor browsers to unknown external domains
- Reports of browser warnings or unexpected redirects from site visitors
Detection Strategies
- Monitor WordPress audit logs for configuration changes to the mybb Last Topics plugin without corresponding admin login sessions
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Deploy web application firewall (WAF) rules to detect CSRF attack patterns and XSS payloads
- Regularly scan database content for suspicious JavaScript or HTML injection patterns
Monitoring Recommendations
- Enable comprehensive WordPress activity logging for all plugin configuration changes
- Monitor HTTP Referer headers for administrative requests originating from external domains
- Configure browser-based XSS detection and reporting mechanisms
- Implement real-time alerting for changes to plugin settings or widget content
How to Mitigate CVE-2025-23749
Immediate Actions Required
- Immediately deactivate and remove the mybb Last Topics plugin from all WordPress installations
- Audit WordPress database for any injected malicious content related to the plugin
- Review WordPress user activity logs for suspicious administrative actions
- Scan all site pages for unexpected JavaScript code that may have been injected
- Consider implementing a Web Application Firewall (WAF) to provide additional protection
Patch Information
As of the last update, no official patch has been released for this vulnerability. The affected versions include mybb Last Topics version 1.0 and earlier. Website administrators should monitor the Patchstack Vulnerability Report for updates on patch availability. Until a fix is released, the plugin should be removed from production environments.
Workarounds
- Remove the mybb Last Topics plugin entirely until a patched version is available
- If removal is not immediately possible, restrict administrative access to trusted IP addresses only
- Implement server-side CSRF protection using WordPress nonce verification at the web server level
- Deploy Content Security Policy headers to mitigate potential XSS impact
- Use a security plugin that provides additional CSRF protection for WordPress administrative functions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
