The vulnerability CVE-2025-23537 affects the 'add custom google tag manager' plugin versions up to 1.0.3. It is a Cross-Site Request Forgery (CSRF) issue that enables an attacker to inject stored Cross-Site Scripting (XSS) payloads by exploiting the lack of proper request validation. This can result in the execution of malicious scripts in the context of the affected application. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can allow an attacker to perform unauthorized actions on behalf of an authenticated user, leading to stored XSS. This can compromise user sessions, steal sensitive information, or perform actions within the affected application context. The impact is rated high due to the combination of CSRF and stored XSS, which can lead to persistent client-side code execution.

No official patch or remediation guidance is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is released, consider implementing additional CSRF protections such as verifying origin headers or using web application firewalls to detect and block suspicious requests. Avoid using affected versions of the plugin if possible.