CVE-2025-25072 Overview
CVE-2025-25072 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Admin Custom Page WordPress plugin (wp-admin-custom-page) developed by thunderbax. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling persistent malicious script injection through forged requests. The vulnerability affects all versions of the plugin from initial release through version 1.5.0.
Critical Impact
Attackers can exploit this CSRF vulnerability to inject persistent malicious scripts into WordPress admin pages, potentially compromising administrative sessions, stealing credentials, or performing unauthorized actions on behalf of authenticated administrators.
Affected Products
- WP Admin Custom Page plugin versions through 1.5.0
- WordPress installations using the vulnerable wp-admin-custom-page plugin
- All configurations of the affected plugin versions
Discovery Timeline
- February 7, 2025 - CVE-2025-25072 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2025-25072
Vulnerability Analysis
This vulnerability combines two distinct attack techniques: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The WP Admin Custom Page plugin fails to properly validate the origin of requests when processing administrative actions, allowing attackers to craft malicious requests that, when triggered by an authenticated administrator, inject persistent JavaScript code into the WordPress admin interface.
The attack requires social engineering to convince an authenticated administrator to visit a malicious page or click a crafted link while logged into WordPress. Once triggered, the injected XSS payload persists in the database and executes whenever any administrator views the affected custom page, creating a persistent threat vector within the WordPress installation.
Root Cause
The vulnerability stems from improper implementation of CSRF protection mechanisms in the WP Admin Custom Page plugin. The plugin does not adequately verify nonce tokens or validate request origins when processing form submissions that create or modify custom admin pages. Combined with insufficient output sanitization, this allows attackers to inject arbitrary HTML and JavaScript content through forged requests.
The lack of proper input validation and output encoding when handling user-supplied content for custom pages enables the stored XSS component of this attack chain. This represents a violation of CWE-352 (Cross-Site Request Forgery).
Attack Vector
The attack follows a multi-stage process. An attacker first constructs a malicious HTML page containing a hidden form that submits to the vulnerable plugin endpoint. This form contains XSS payloads in the parameters used to create or modify custom admin pages.
When an authenticated WordPress administrator visits the attacker's page, the malicious form automatically submits using the administrator's session cookies. Since the plugin lacks proper CSRF validation, the request is processed as legitimate, and the XSS payload is stored in the database.
Subsequently, any administrator viewing the affected custom page will have the malicious script execute in their browser context, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress installation.
Detection Methods for CVE-2025-25072
Indicators of Compromise
- Unexpected custom admin pages appearing in the WordPress backend
- JavaScript code or suspicious HTML tags stored in custom page content within the database
- Browser console errors indicating blocked or executing external scripts from unknown sources
- Unusual administrator account activities or session anomalies
Detection Strategies
- Review WordPress database tables associated with the WP Admin Custom Page plugin for unexpected script content
- Monitor HTTP request logs for suspicious POST requests to plugin endpoints without valid nonces
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Audit custom page configurations regularly for unauthorized modifications
Monitoring Recommendations
- Enable WordPress audit logging to track all administrative actions and plugin configuration changes
- Configure web application firewall (WAF) rules to detect CSRF attack patterns and XSS payloads
- Monitor for external referrer headers on sensitive admin endpoints that process form submissions
- Set up alerts for new or modified custom pages created through the plugin
How to Mitigate CVE-2025-25072
Immediate Actions Required
- Disable or remove the WP Admin Custom Page plugin until a patched version is available
- Review and audit all existing custom pages created by the plugin for malicious content
- Implement WordPress security plugins that provide CSRF protection and XSS filtering
- Restrict administrative access to trusted IP addresses where feasible
Patch Information
Affected versions of WP Admin Custom Page include all releases through version 1.5.0. Site administrators should check the Patchstack WordPress Vulnerability Report for the latest remediation guidance and monitor for plugin updates from the developer.
Workarounds
- Remove the WP Admin Custom Page plugin entirely until a security update is released
- Implement a Web Application Firewall (WAF) with rules to block CSRF and XSS attack patterns
- Add custom CSRF token validation through a security plugin as an additional protective layer
- Restrict WordPress admin access to authenticated users from known, trusted networks only
# Configuration example - Disable plugin via WP-CLI
wp plugin deactivate wp-admin-custom-page
# List and review custom page entries for suspicious content
wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%wp_admin_custom_page%'"
# Enable maintenance mode while auditing
wp maintenance-mode activate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
