CVE-2025-23980 Overview
CVE-2025-23980 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Full Circle plugin developed by James Andrews. This vulnerability enables attackers to chain CSRF with Stored Cross-Site Scripting (XSS), allowing malicious actors to inject persistent scripts into the application through forged requests submitted by authenticated users.
Critical Impact
Attackers can leverage CSRF to inject malicious scripts that persist in the application, potentially compromising administrative sessions, stealing credentials, and defacing website content.
Affected Products
- WordPress Full Circle plugin version 0.5.7.8 and earlier
- All previous versions of the full-circle plugin
Discovery Timeline
- 2025-01-31 - CVE-2025-23980 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-23980
Vulnerability Analysis
This vulnerability combines two distinct attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The Full Circle plugin fails to implement proper CSRF token validation on certain administrative forms, allowing attackers to craft malicious requests that are executed when an authenticated administrator visits an attacker-controlled page.
The CSRF vulnerability serves as the entry point, enabling attackers to submit unauthorized requests on behalf of logged-in administrators. These requests can inject malicious JavaScript payloads that are stored in the database and subsequently rendered to other users visiting affected pages.
The stored nature of the XSS component makes this vulnerability particularly dangerous, as the injected scripts execute automatically whenever victims access pages containing the malicious content, without requiring further interaction with the attacker.
Root Cause
The root cause is the absence of nonce verification (CSRF tokens) on form submissions within the Full Circle plugin. WordPress provides built-in CSRF protection through nonces, but the affected plugin versions do not properly implement these security checks, leaving state-changing operations unprotected.
Additionally, insufficient output sanitization allows user-supplied data to be rendered in HTML context without proper encoding, enabling the stored XSS component of the attack chain.
Attack Vector
The attack requires an authenticated administrator to visit an attacker-controlled webpage while logged into the WordPress site. The malicious page contains a hidden form that automatically submits a forged request to the vulnerable plugin endpoint, injecting JavaScript code that is stored server-side.
Once stored, the malicious script executes in the browser context of any user viewing the affected content. This can lead to session hijacking, administrative account takeover, website defacement, malware distribution to site visitors, and privilege escalation.
The vulnerability can be exploited remotely and requires user interaction (tricking an admin to visit the malicious page). For detailed technical information, refer to the Patchstack Vulnerability Report.
Detection Methods for CVE-2025-23980
Indicators of Compromise
- Unexpected JavaScript code or <script> tags appearing in plugin-managed content areas
- Suspicious administrative actions in WordPress logs without corresponding legitimate user activity
- Unusual outbound connections from visitor browsers to unknown domains
- Modified database entries containing encoded or obfuscated script content
Detection Strategies
- Monitor WordPress database tables associated with the Full Circle plugin for injection of script tags or event handlers
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Review web server access logs for POST requests to Full Circle plugin endpoints originating from external referrers
- Deploy Web Application Firewall (WAF) rules to detect CSRF and XSS payload patterns
Monitoring Recommendations
- Enable WordPress audit logging to track all administrative changes and plugin interactions
- Configure browser-side monitoring for CSP violations that may indicate XSS execution attempts
- Set up alerts for unusual database modifications, particularly in plugin configuration tables
- Implement real-time monitoring of outbound requests from the WordPress installation
How to Mitigate CVE-2025-23980
Immediate Actions Required
- Disable or deactivate the Full Circle plugin immediately until a patched version is available
- Review WordPress database content for any injected malicious scripts
- Reset administrative user sessions and credentials as a precautionary measure
- Implement Web Application Firewall (WAF) rules to block suspicious form submissions
Patch Information
As of the last update, affected versions include Full Circle plugin version 0.5.7.8 and all prior releases. Check the Patchstack Vulnerability Report for the latest patch availability and update instructions. Consider alternative plugins if no security patch is released in a timely manner.
Workarounds
- Temporarily disable the Full Circle plugin until a security patch is released
- Implement strict Content Security Policy headers to mitigate XSS impact
- Use security plugins that add CSRF protection at the application layer
- Restrict administrative access to trusted IP addresses only
- Educate administrators about phishing and social engineering tactics used to exploit CSRF vulnerabilities
# Example: Add Content Security Policy headers in .htaccess
# This helps mitigate XSS execution even if payloads are injected
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
