CVE-2025-31404 Overview
CVE-2025-31404 is a Cross-Site Request Forgery (CSRF) vulnerability in the AF Tell a Friend WordPress plugin developed by Wladyslaw Madejczyk. This vulnerability allows attackers to leverage CSRF to inject Stored Cross-Site Scripting (XSS) payloads into the affected WordPress installation. The chained nature of this vulnerability (CSRF to Stored XSS) significantly increases its potential impact, as it enables persistent malicious script execution in the context of authenticated users.
Critical Impact
Attackers can exploit the CSRF vulnerability to inject persistent XSS payloads that execute in the browsers of all users who view the affected content, potentially leading to session hijacking, credential theft, or administrative account compromise.
Affected Products
- AF Tell a Friend WordPress Plugin version 1.4 and earlier
- WordPress installations using the af-tell-a-friend plugin
- All versions from initial release through version 1.4
Discovery Timeline
- 2025-04-09 - CVE-2025-31404 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-31404
Vulnerability Analysis
This vulnerability represents a compound attack chain combining two distinct vulnerability classes: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The AF Tell a Friend plugin fails to implement proper CSRF token validation on sensitive form submissions, allowing an attacker to craft malicious requests that are executed in the context of an authenticated administrator. Furthermore, the plugin does not properly sanitize or escape user-supplied input before storing and rendering it, enabling the injection of persistent JavaScript payloads.
The CSRF-to-XSS chain is particularly dangerous because it allows an unauthenticated attacker to inject persistent malicious content that will execute for every user who subsequently views the affected page, including administrators with elevated privileges.
Root Cause
The root cause of this vulnerability stems from two security deficiencies in the AF Tell a Friend plugin:
Missing CSRF Protection: The plugin does not implement nonce verification or other anti-CSRF mechanisms on form submissions that modify plugin settings or content. This allows attackers to forge requests on behalf of authenticated users.
Inadequate Input Sanitization: User-supplied data is not properly sanitized using WordPress security functions such as sanitize_text_field(), esc_html(), or wp_kses() before being stored in the database or rendered in HTML output.
Attack Vector
The attack follows a multi-stage exploitation process:
Attacker Crafts Malicious Page: The attacker creates a web page containing a hidden form that submits to the vulnerable plugin endpoint with XSS payload data.
Social Engineering: The attacker lures an authenticated WordPress administrator to visit the malicious page.
Forged Request Execution: When the administrator visits the page, the hidden form automatically submits (via JavaScript), sending the XSS payload to the WordPress installation.
Payload Storage: Due to missing input sanitization, the XSS payload is stored in the database.
Persistent Execution: The malicious script executes whenever users view the affected content, enabling session hijacking, credential theft, or further attacks.
The attack can be executed without the victim's knowledge, as the form submission occurs automatically upon page load. Successful exploitation could allow an attacker to perform administrative actions, inject additional malicious content, or compromise user accounts.
Detection Methods for CVE-2025-31404
Indicators of Compromise
- Unexpected JavaScript code or <script> tags appearing in plugin settings or stored content
- Suspicious form submissions to the AF Tell a Friend plugin endpoints from external referrers
- Browser console errors indicating blocked inline scripts (if Content Security Policy is enabled)
- User reports of unexpected behavior or redirects when viewing pages containing the plugin
Detection Strategies
- Monitor web server access logs for POST requests to AF Tell a Friend plugin endpoints with suspicious payloads containing HTML or JavaScript
- Implement Web Application Firewall (WAF) rules to detect and block XSS patterns in request parameters
- Scan WordPress database tables for stored XSS indicators such as <script>, javascript:, or event handlers like onerror
- Use WordPress security plugins to audit plugin settings for unauthorized modifications
Monitoring Recommendations
- Enable WordPress audit logging to track all plugin configuration changes and content modifications
- Configure SentinelOne Singularity to monitor for suspicious JavaScript execution patterns originating from WordPress installations
- Implement Content Security Policy (CSP) headers to mitigate XSS impact and generate violation reports
- Regularly review stored content in database tables associated with the AF Tell a Friend plugin
How to Mitigate CVE-2025-31404
Immediate Actions Required
- Immediately deactivate and remove the AF Tell a Friend plugin (af-tell-a-friend) if version 1.4 or earlier is installed
- Audit WordPress database for any signs of stored XSS payloads that may have been injected
- Review WordPress user accounts for any unauthorized administrative accounts or privilege changes
- Clear browser caches for administrators who may have interacted with affected pages
Patch Information
As of the published vulnerability data, all versions of AF Tell a Friend through version 1.4 are affected. Site administrators should check the Patchstack WordPress Vulnerability Analysis for the latest information on available patches or updates. If no patched version is available, consider replacing the plugin with a secure alternative that provides similar functionality.
Workarounds
- Remove or deactivate the AF Tell a Friend plugin until a security patch is released by the vendor
- Implement Content Security Policy (CSP) headers to restrict inline script execution and mitigate XSS impact
- Deploy a Web Application Firewall (WAF) with rules to block CSRF and XSS attack patterns
- Restrict access to WordPress administrative interfaces using IP whitelisting or VPN requirements
- Enable HTTP-only and Secure flags on all session cookies to reduce session hijacking risk
# WordPress configuration to help mitigate XSS impact
# Add to wp-config.php or server configuration
# Force secure cookies (add to wp-config.php)
define('FORCE_SSL_ADMIN', true);
define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
# Apache .htaccess CSP header example
# <IfModule mod_headers.c>
# Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
# </IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
