CVE-2025-23977 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the Bhaskar Dhote Post Carousel Slider WordPress plugin, affecting all versions up to and including 2.0.1. The vulnerability enables attackers to trick authenticated users into unknowingly submitting malicious requests to the vulnerable site. This CSRF flaw leads to Stored Cross-Site Scripting (XSS), where malicious scripts are permanently stored on the target server and executed in the context of users visiting the site. The plugin is designed to display post carousels, and the vulnerability likely arises from insufficient validation of user-supplied input combined with a lack of anti-CSRF tokens or protections in the plugin's request handling. Because the XSS is stored, it can affect multiple users, potentially allowing attackers to steal cookies, hijack sessions, deface content, or deliver malware. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability was published on January 31, 2025, with the vendor project being Bhaskar Dhote. The absence of patches at the time of disclosure increases the urgency for mitigation. The vulnerability impacts the confidentiality, integrity, and availability of affected websites and their users.

The impact of this vulnerability is significant for organizations using the Bhaskar Dhote Post Carousel Slider plugin on WordPress sites. Exploitation can lead to persistent XSS attacks, enabling attackers to execute arbitrary JavaScript in the context of site visitors, potentially stealing sensitive information such as authentication cookies or personal data. This can result in account takeover, unauthorized actions, defacement, or distribution of malware. The CSRF aspect means attackers can induce authenticated users to perform unintended actions, compounding the risk. For e-commerce, media, and content-heavy websites, this can lead to reputational damage, loss of customer trust, and regulatory compliance issues. The lack of known exploits currently limits immediate widespread impact, but the vulnerability's presence in a popular CMS plugin makes it a high-value target for attackers once exploit code becomes available. Organizations worldwide relying on this plugin face risks to their web application security and user data privacy.

Until an official patch is released, organizations should implement several specific mitigations: 1) Disable or remove the Post Carousel Slider plugin if it is not essential to reduce attack surface. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block CSRF and XSS attack patterns targeting the plugin's endpoints. 3) Enforce strict Content Security Policy (CSP) headers to limit the impact of injected scripts. 4) Ensure all users accessing the site have minimal necessary privileges to reduce damage from compromised accounts. 5) Monitor web server and application logs for unusual POST requests or suspicious activity related to the plugin. 6) Educate users and administrators about phishing and social engineering risks that could facilitate CSRF exploitation. 7) Once available, promptly apply vendor patches or updates addressing this vulnerability. 8) Review and harden site-wide CSRF protections by implementing anti-CSRF tokens and validating request origins. These targeted actions go beyond generic advice and focus on reducing risk from this specific vulnerability.