CVE-2025-31404 Overview
CVE-2025-31404 is a Cross-Site Request Forgery (CSRF) vulnerability in the AF Tell a Friend WordPress plugin developed by Wladyslaw Madejczyk. The flaw affects all plugin versions up to and including 1.4. Attackers can chain the CSRF weakness with stored Cross-Site Scripting (XSS), enabling persistent script injection through a forged administrator request. Successful exploitation requires the targeted user to visit a malicious page while authenticated. The injected payload then persists in the WordPress database and executes against any visitor or administrator who loads the affected page.
Critical Impact
An unauthenticated attacker can plant persistent JavaScript in a WordPress site by tricking an authenticated administrator into clicking a crafted link, leading to session theft and site takeover.
Affected Products
- AF Tell a Friend WordPress plugin (slug: af-tell-a-friend)
- All versions from n/a through <= 1.4
- Wladyslaw Madejczyk (plugin author)
Discovery Timeline
- 2025-04-09 - CVE-2025-31404 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-31404
Vulnerability Analysis
The AF Tell a Friend plugin exposes administrative actions without verifying request origin. The plugin omits valid WordPress nonce checks on state-changing endpoints, classifying this issue under [CWE-352]. An attacker hosts a crafted HTML page that triggers a POST request to the plugin's settings handler while leveraging the victim's authenticated session cookies. Because the same input is later rendered without output encoding, the forged request stores attacker-controlled JavaScript in plugin options or content fields. The stored payload executes whenever the affected page renders, producing a CSRF-to-Stored-XSS chain. The combined attack vector requires user interaction but no privileges from the attacker.
Root Cause
The root cause is missing or improper CSRF token validation in the plugin's request handlers. WordPress provides wp_nonce_field() and check_admin_referer() primitives to prevent such forgeries, but the affected versions do not enforce them on the vulnerable endpoint. A secondary defect, insufficient input sanitization and output escaping, transforms the CSRF into persistent XSS.
Attack Vector
Exploitation occurs over the network and requires the victim to interact with attacker-controlled content. An attacker delivers a phishing email or malicious webpage referencing the vulnerable WordPress admin endpoint. When the authenticated administrator loads the page, the browser submits the forged request using session cookies. The plugin processes the request as legitimate and stores the malicious payload. See the Patchstack WordPress Vulnerability Report for technical details.
No verified proof-of-concept code is publicly available. The vulnerability mechanism follows the standard CSRF-to-Stored-XSS pattern documented in the security advisory.
Detection Methods for CVE-2025-31404
Indicators of Compromise
- Unexpected <script> tags, event handlers, or external JavaScript references stored in AF Tell a Friend plugin options within the wp_options table
- Administrator HTTP POST requests to plugin endpoints originating from external Referer headers unrelated to wp-admin
- Outbound browser requests from administrator sessions to unknown domains after viewing pages containing the plugin shortcode
Detection Strategies
- Inspect WordPress database entries created or modified by the AF Tell a Friend plugin for HTML or JavaScript content that should contain only plain text
- Review web server access logs for POST requests to wp-admin/admin.php or admin-post.php referencing the plugin without same-origin Referer values
- Hunt for anomalous administrator activity correlated with phishing emails or visits to untrusted external sites
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin setting changes with user, timestamp, and source IP attribution
- Monitor file integrity and database snapshots for unauthorized modifications to plugin-managed records
- Alert on browser-based execution of inline scripts on administrator-facing pages where Content Security Policy violations are reported
How to Mitigate CVE-2025-31404
Immediate Actions Required
- Deactivate and remove the AF Tell a Friend plugin until a patched release is published, as all known versions up to 1.4 are vulnerable
- Rotate WordPress administrator passwords and invalidate active sessions to revoke any credentials potentially exposed through stored XSS
- Audit plugin-controlled database fields and remove any injected HTML or JavaScript artifacts
Patch Information
No fixed version is identified in the published advisory at the time of NVD publication. Site administrators should monitor the Patchstack WordPress Vulnerability Report and the WordPress plugin repository for vendor updates beyond version 1.4.
Workarounds
- Replace the plugin with an actively maintained alternative that implements WordPress nonce validation and output escaping
- Deploy a Web Application Firewall (WAF) rule that blocks cross-origin POST requests targeting plugin admin endpoints
- Enforce a strict Content Security Policy on wp-admin to restrict inline script execution and limit script sources to trusted origins
# Apache .htaccess example: restrict access to plugin admin endpoint by IP
<Files "admin-post.php">
Require ip 203.0.113.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
