The vulnerability CVE-2025-23508 affects the OrigoThemes Extra Options – Favicons plugin, specifically versions up to 1.1.0. It is a Cross-Site Request Forgery (CSRF) issue that enables stored Cross-Site Scripting (XSS). This means an attacker can trick an authenticated user into submitting a forged request that results in malicious script being stored and executed in the context of the affected application. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to stored XSS, which may allow attackers to execute arbitrary scripts in the context of the affected site, potentially leading to session hijacking, defacement, or other malicious actions. The CSRF nature of the vulnerability means that attackers can induce authenticated users to perform unintended actions. The overall impact is rated high due to the combination of CSRF and stored XSS.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the affected plugin version or applying any recommended temporary mitigations from the vendor. Monitor the vendor's communications for updates on patches or official fixes.