CVE-2025-24756 Overview
CVE-2025-24756 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the mgplugin Roi Calculator WordPress plugin. The flaw chains a CSRF weakness with a Stored Cross-Site Scripting (XSS) condition, allowing attackers to persist malicious scripts in plugin-managed data. The issue affects Roi Calculator versions up to and including 1.0. Exploitation requires an authenticated administrator to visit an attacker-controlled page while logged into WordPress. Once the forged request executes, the injected payload is stored and served to subsequent visitors of the affected page.
Critical Impact
Successful exploitation results in persistent JavaScript execution in the browsers of WordPress users, enabling session theft, administrative action hijacking, and arbitrary content modification across the site.
Affected Products
- mgplugin Roi Calculator plugin for WordPress
- All versions from n/a through 1.0
- WordPress sites with the roi-calculator plugin installed and active
Discovery Timeline
- 2025-01-24 - CVE-2025-24756 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24756
Vulnerability Analysis
The Roi Calculator plugin exposes administrative endpoints that modify plugin settings without verifying anti-CSRF tokens. An attacker crafts a malicious HTML page or hidden form that auto-submits a request to the vulnerable endpoint. When an authenticated WordPress administrator visits the attacker's page, the browser submits the forged request using the administrator's session cookies. The plugin processes the request as legitimate and writes attacker-controlled input into stored configuration.
Because the stored input is later rendered without proper output encoding, the payload executes as JavaScript in the browser of anyone viewing the affected page. This chains CSRF with Stored XSS, producing a persistent client-side compromise from a single user interaction.
The attack vector is network-based, requires user interaction, and crosses a privilege scope by leveraging the victim's authenticated context. EPSS data reports a low exploit prediction probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The plugin omits WordPress nonce verification (wp_verify_nonce or check_admin_referer) on state-changing requests. It also fails to sanitize input on storage and escape output on rendering, allowing arbitrary HTML and script content to persist in plugin data.
Attack Vector
An attacker hosts a page containing a hidden form targeting the vulnerable plugin endpoint. The form payload includes a malicious <script> tag or event-handler attribute. The attacker lures a logged-in administrator to the page through phishing, a forum post, or a malicious advertisement. The administrator's browser submits the request automatically, and the injected payload is stored. Every subsequent visit to the affected page triggers script execution.
No proof-of-concept code is published in verified sources. Refer to the Patchstack WordPress Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-24756
Indicators of Compromise
- Unexpected <script> tags, onerror, or onload attributes stored in wp_options rows or plugin-specific tables associated with roi-calculator.
- WordPress access logs showing POST requests to Roi Calculator admin endpoints originating from external Referer headers.
- Administrator browser sessions reporting unexpected JavaScript execution or redirects on plugin-managed pages.
Detection Strategies
- Audit plugin configuration values for HTML markup or JavaScript content that should not be present in settings fields.
- Inspect HTTP request logs for state-changing POST requests to roi-calculator endpoints that lack a valid _wpnonce parameter.
- Deploy a Web Application Firewall (WAF) rule that flags cross-origin form submissions to WordPress admin URLs.
Monitoring Recommendations
- Monitor WordPress administrator accounts for anomalous outbound requests initiated by their browsers after login.
- Alert on creation or modification of plugin options containing characters such as <, >, or javascript:.
- Track installation inventory for the roi-calculator plugin and flag any instance at version 1.0 or earlier.
How to Mitigate CVE-2025-24756
Immediate Actions Required
- Deactivate and remove the Roi Calculator plugin until the vendor publishes a fixed release.
- Review stored plugin settings and remove any injected HTML or JavaScript content.
- Force a password reset and session invalidation for all WordPress administrator accounts.
Patch Information
No patched version is identified in the available advisory data. The vulnerability affects all versions through 1.0. Monitor the Patchstack advisory for updates from the plugin maintainer.
Workarounds
- Restrict access to /wp-admin/ by IP allowlist to limit exposure of administrator sessions to attacker-controlled pages.
- Deploy a WAF rule that requires a same-origin Referer header on POST requests to Roi Calculator endpoints.
- Enforce SameSite=Strict on WordPress authentication cookies to block cross-site request submission.
- Use a Content Security Policy (CSP) that restricts inline script execution on WordPress-rendered pages.
# Configuration example: temporarily disable the vulnerable plugin via WP-CLI
wp plugin deactivate roi-calculator
wp plugin delete roi-calculator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
