CVE-2025-25072 identifies a security vulnerability in the thunderbax WP Admin Custom Page WordPress plugin, affecting all versions up to and including 1.5.0. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw that allows attackers to trick authenticated administrators into submitting unauthorized requests. This CSRF flaw leads to Stored Cross-Site Scripting (XSS), where malicious scripts are persistently injected into the WordPress admin pages. Stored XSS in an administrative context is particularly dangerous because it can execute arbitrary JavaScript code with high privileges, potentially allowing attackers to steal cookies, hijack sessions, modify site content, or escalate privileges further. The vulnerability arises from insufficient verification of request authenticity in the plugin’s admin custom page functionality. Since the plugin operates within the wp-admin environment, exploitation requires the victim to be logged in with administrative rights, but no user interaction beyond visiting a crafted page is necessary once authenticated. No CVSS score has been assigned yet, and no patches or public exploits are currently available. The vulnerability was publicly disclosed in early February 2025 and assigned by Patchstack. The lack of patches means affected sites remain vulnerable until mitigations or updates are applied. Given the widespread use of WordPress and the potential for persistent malicious code injection, this vulnerability represents a significant risk to site integrity and administrator security.

The impact of CVE-2025-25072 is significant for organizations running WordPress sites with the thunderbax WP Admin Custom Page plugin installed. Successful exploitation allows attackers to perform unauthorized administrative actions via CSRF, leading to stored XSS attacks that persistently compromise the admin interface. This can result in theft of sensitive information such as authentication cookies, session tokens, or administrative credentials, enabling further compromise or site takeover. The stored XSS can also be used to inject malicious payloads that affect site visitors or administrators, potentially spreading malware or phishing attacks. The integrity of the website content and administrative controls can be undermined, leading to loss of trust, data breaches, and reputational damage. Since exploitation requires an authenticated admin session, the threat is limited to sites with active administrator users, but the ease of exploitation without user interaction beyond authentication increases risk. Organizations with high-value WordPress sites, especially those handling sensitive data or e-commerce, face elevated risks of data loss, service disruption, and compliance violations if this vulnerability is exploited.

To mitigate CVE-2025-25072, organizations should immediately audit their WordPress installations for the presence of the thunderbax WP Admin Custom Page plugin and verify the version in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate exposure. Implement strict Content Security Policy (CSP) headers to reduce the impact of stored XSS by restricting script execution sources. Enforce multi-factor authentication (MFA) for all administrator accounts to reduce the risk of session hijacking. Regularly monitor admin activity logs for unusual or unauthorized actions that could indicate exploitation attempts. Educate administrators to avoid clicking on suspicious links while logged into the WordPress admin interface. Employ web application firewalls (WAFs) with custom rules to detect and block CSRF and XSS attack patterns targeting the admin pages. Once a patch becomes available, prioritize immediate update of the plugin. Additionally, review and harden WordPress security configurations, including nonce verification for admin actions, to prevent CSRF vulnerabilities in other plugins or custom code.