The vulnerability identified as CVE-2025-23436 affects the Wp-Scribd-List WordPress plugin, versions up to 1.2. It is a Cross-Site Request Forgery (CSRF) issue that enables stored Cross-Site Scripting (XSS) attacks. This means an attacker could trick an authenticated user into submitting a forged request that results in malicious script being stored and executed in the context of the vulnerable site. The CVSS score of 7.1 indicates a high impact with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected site. This can compromise user data confidentiality, integrity, and availability. The CSRF aspect means that attackers can induce authenticated users to perform unwanted actions without their consent. There are no known exploits in the wild reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or removing the Wp-Scribd-List plugin if feasible. Applying standard CSRF mitigations such as verifying nonces or tokens in requests may help, but specific vendor guidance is necessary. Monitor official vendor channels for updates and patches.