CVE-2025-23832 Overview
CVE-2025-23832 is a Cross-Site Request Forgery (CSRF) vulnerability in the Matt Gibbs Admin Cleanup plugin for WordPress. The flaw affects all plugin versions up to and including 1.0.2. An attacker can chain the CSRF weakness with Stored Cross-Site Scripting (XSS), causing authenticated administrators to unknowingly persist malicious script payloads into the WordPress site. Once stored, the injected JavaScript executes in the browser of any user who views the affected page. The issue is tracked under CWE-352 and is documented in the Patchstack Vulnerability Report.
Critical Impact
A successful exploit lets an unauthenticated attacker trick an administrator into storing arbitrary JavaScript that executes in the WordPress admin context, enabling session theft, account takeover, and full site compromise.
Affected Products
- Matt Gibbs Admin Cleanup plugin for WordPress
- All versions from n/a through 1.0.2
- WordPress sites running the vulnerable admin-cleanup plugin
Discovery Timeline
- 2025-01-16 - CVE-2025-23832 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-23832
Vulnerability Analysis
The Admin Cleanup plugin exposes administrative actions that modify stored plugin data without verifying the origin of the request. The plugin fails to validate WordPress nonces or check the request referrer on state-changing endpoints. An attacker who hosts a crafted page can submit a forged POST request through an administrator's authenticated browser session.
Because user-controlled input flows into stored fields without proper output encoding or input sanitization, the forged request can persist JavaScript payloads. The stored payload then executes whenever the admin views the affected interface, escalating CSRF into Stored XSS. This chain bypasses the privilege barrier because the victim already holds administrative rights.
Root Cause
The root cause is missing CSRF protection on plugin endpoints. WordPress provides wp_nonce_field() and check_admin_referer() for this purpose, but the plugin does not enforce these checks. The vulnerability is compounded by insufficient sanitization of stored values, allowing arbitrary HTML and script content to be saved and rendered.
Attack Vector
Exploitation requires user interaction. An attacker crafts a malicious web page or email containing an auto-submitting form or image tag that targets the vulnerable plugin endpoint. When an authenticated administrator visits the attacker-controlled resource, the browser issues the request with valid session cookies. The plugin accepts the forged input, stores the XSS payload, and the script executes on subsequent page loads. The scope change reflects that injected script can affect any user who later loads the contaminated admin page.
Detection Methods for CVE-2025-23832
Indicators of Compromise
- Unexpected <script> tags, event handlers, or encoded JavaScript stored in Admin Cleanup plugin settings or option rows
- WordPress administrator accounts created or modified without corresponding audit log entries
- Outbound HTTP requests from admin browser sessions to unfamiliar domains following access to wp-admin
- HTTP referrer headers from external domains on POST requests targeting admin-cleanup plugin endpoints
Detection Strategies
- Inspect the wp_options table and plugin-specific configuration for HTML or JavaScript characters that should not appear in legitimate values
- Review web server logs for POST requests to plugin admin URLs with off-site Referer headers
- Monitor for new or unfamiliar JavaScript executing within the /wp-admin/ browser context
Monitoring Recommendations
- Enable WordPress audit logging to capture changes to plugin options and user accounts
- Alert on administrator sessions that load external scripts or initiate unexpected XHR traffic
- Track installations of the Admin Cleanup plugin across managed WordPress fleets and flag versions at or below 1.0.2
How to Mitigate CVE-2025-23832
Immediate Actions Required
- Deactivate and remove the Matt Gibbs Admin Cleanup plugin if a patched version is not available
- Audit WordPress administrator accounts for unauthorized additions and rotate credentials for all privileged users
- Clear browser sessions and force re-authentication for all wp-admin users
- Review plugin-stored values and remove any malicious script content before re-enabling administrative access
Patch Information
No fixed version is identified in the Patchstack Vulnerability Report. The advisory lists all versions through 1.0.2 as vulnerable. Site owners should monitor the WordPress plugin repository for an updated release and remove the plugin in the interim.
Workarounds
- Uninstall the Admin Cleanup plugin until a vendor-supplied fix is published
- Deploy a web application firewall rule that blocks POST requests to plugin endpoints lacking a same-origin Referer header
- Restrict wp-admin access by IP allowlist to limit exposure to forged cross-origin requests
- Apply a Content Security Policy on wp-admin responses to limit inline script execution
# Example: restrict wp-admin to trusted IPs via .htaccess
<Directory "/var/www/html/wp-admin">
Require ip 203.0.113.0/24
Require ip 198.51.100.42
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
