CVE-2025-23895 Overview
CVE-2025-23895 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Add RSS WordPress plugin developed by Dan Cameron. This vulnerability allows attackers to leverage CSRF attacks to inject malicious scripts that are stored persistently on the target website, resulting in Stored Cross-Site Scripting (XSS). The vulnerability affects Add RSS plugin versions through 1.5.
Critical Impact
Attackers can chain CSRF with Stored XSS to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, privilege escalation, or website defacement.
Affected Products
- Add RSS WordPress Plugin version <= 1.5
- WordPress installations using the vulnerable Add RSS plugin
Discovery Timeline
- 2025-01-16 - CVE-2025-23895 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-23895
Vulnerability Analysis
This vulnerability represents a compound attack vector combining Cross-Site Request Forgery (CSRF) with Stored Cross-Site Scripting (XSS). The Add RSS plugin fails to implement proper CSRF protection mechanisms (nonce verification) on forms or AJAX endpoints that handle RSS feed configuration. This allows an attacker to craft malicious requests that, when executed by an authenticated administrator, inject persistent malicious JavaScript code into the WordPress database.
The stored nature of the XSS component makes this particularly dangerous, as the malicious payload persists and executes whenever any user views the affected page or widget containing the injected content.
Root Cause
The root cause stems from two separate security failures in the plugin:
Missing CSRF Protection (CWE-352): The plugin does not validate WordPress nonces on state-changing operations, allowing forged requests from external sources to be processed as legitimate administrator actions.
Insufficient Input Sanitization: User-supplied input (likely RSS feed URLs, titles, or descriptions) is not properly sanitized before being stored in the database, and is not escaped when rendered, allowing JavaScript injection.
Attack Vector
The attack requires social engineering to trick an authenticated WordPress administrator into visiting a malicious webpage or clicking a crafted link. The attacker's page contains a hidden form or JavaScript that automatically submits a request to the vulnerable plugin endpoint.
The attack flow proceeds as follows:
- Attacker identifies a WordPress site running the vulnerable Add RSS plugin
- Attacker creates a malicious webpage containing a forged request with XSS payload
- Authenticated WordPress administrator visits the attacker's page
- Browser automatically submits the forged request to the WordPress site
- Plugin processes the request without CSRF validation and stores malicious script
- All subsequent visitors to the affected page execute the attacker's JavaScript
Since no verified code examples are available, readers should consult the Patchstack WordPress Vulnerability Report for detailed technical information about the exploitation mechanism.
Detection Methods for CVE-2025-23895
Indicators of Compromise
- Unexpected modifications to RSS feed configurations in the WordPress database
- Presence of <script> tags or JavaScript event handlers in RSS widget settings
- Unusual JavaScript execution when viewing pages containing RSS widgets
- Anomalous outbound network requests from user browsers when viewing the site
Detection Strategies
- Audit the wp_options table for entries related to the Add RSS plugin containing suspicious JavaScript or HTML
- Review web server access logs for POST requests to Add RSS plugin endpoints from unusual referrers
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Monitor for cross-origin requests targeting WordPress admin endpoints
Monitoring Recommendations
- Enable WordPress audit logging to track plugin configuration changes
- Configure Web Application Firewall (WAF) rules to detect CSRF and XSS patterns
- Implement browser-side XSS auditing through security headers
- Regularly scan stored content for malicious script injections
How to Mitigate CVE-2025-23895
Immediate Actions Required
- Deactivate and remove the Add RSS plugin (add-rss) from all WordPress installations
- Review database entries for any stored malicious scripts and sanitize affected content
- Audit user sessions and reset administrator credentials if compromise is suspected
- Implement a Content Security Policy to mitigate impact of any stored XSS payloads
Patch Information
As of the last update, no patched version has been confirmed. Users should monitor the Patchstack WordPress Vulnerability Report for updates regarding a security fix. Consider switching to alternative RSS plugins with active security maintenance.
Workarounds
- Remove or deactivate the Add RSS plugin until a patched version is available
- Implement server-level WAF rules to block suspicious POST requests to plugin endpoints
- Restrict administrative access to trusted IP addresses only
- Use WordPress security plugins that provide CSRF protection at the application level
# Deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate add-rss --path=/var/www/html/wordpress
# Search for potential XSS payloads in options table
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%add_rss%' AND option_value LIKE '%<script%'" --path=/var/www/html/wordpress
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
