The vulnerability CVE-2025-23446 affects the WP SpaceContent plugin by KokoenDE, allowing Cross-Site Request Forgery (CSRF) attacks that result in stored Cross-Site Scripting (XSS). This means an attacker can trick an authenticated user into submitting a forged request that causes malicious scripts to be stored and executed in the context of the affected site. The vulnerability impacts versions up to 0.4.5. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected site. This can compromise user data, session tokens, or perform actions on behalf of authenticated users. The CSRF nature of the vulnerability means that attackers can induce authenticated users to perform unwanted actions without their consent. The overall impact affects confidentiality, integrity, and availability of the affected system as reflected in the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the WP SpaceContent plugin or restricting its usage to trusted users only. Applying web application firewall (WAF) rules to detect and block CSRF attempts may provide temporary mitigation. Monitor official KokoenDE channels for updates and patches.