CVE-2025-25154 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the scweber Custom Comment Notifications plugin, specifically versions up to and including 1.0.8. The plugin is designed to manage comment notifications in web applications, likely WordPress-based. The CSRF flaw allows attackers to trick authenticated users into submitting unauthorized requests to the application, exploiting the trust between the user and the web server. This vulnerability is compounded by the presence of stored Cross-Site Scripting (XSS), where malicious scripts injected by the attacker are stored persistently within the application’s data, such as comment notifications. When other users or administrators access the affected pages, the malicious scripts execute in their browsers, potentially stealing session cookies, redirecting users, or performing actions on their behalf. The combination of CSRF and stored XSS significantly increases the attack surface and impact. No CVSS score has been assigned yet, and no patches or known exploits have been reported as of the publication date. The vulnerability affects all versions up to 1.0.8, with no indication of fixes in later versions. The plugin’s user base, primarily WordPress site administrators who use this plugin for comment notification customization, is at risk. The attack requires the victim to be authenticated and to visit a maliciously crafted webpage or link, which triggers the CSRF attack leading to stored XSS payload injection. This vulnerability can compromise confidentiality, integrity, and availability of affected sites and their users.

The impact of CVE-2025-25154 is significant for organizations using the scweber Custom Comment Notifications plugin. Successful exploitation can lead to persistent stored XSS attacks, allowing attackers to execute arbitrary JavaScript in the context of the victim’s browser. This can result in session hijacking, credential theft, unauthorized actions on the site, and potential malware distribution. The CSRF aspect means attackers can perform these actions without the victim’s explicit consent, leveraging their authenticated session. For organizations, this could lead to data breaches, defacement, loss of user trust, and compliance violations. Since the plugin is typically used in WordPress environments, which are widely deployed globally, the scope of affected systems is broad. The absence of patches increases the window of exposure. While no exploits are currently known in the wild, the vulnerability’s nature makes it a likely target for attackers once weaponized. The combined CSRF and stored XSS vulnerability can severely impact confidentiality and integrity, with availability potentially affected if attackers deface or disrupt services.

To mitigate CVE-2025-25154, organizations should immediately assess their use of the scweber Custom Comment Notifications plugin and consider disabling or uninstalling it until a patch is released. Restrict plugin access to trusted administrators only and review user roles to minimize the number of users with permissions to perform actions that could be exploited via CSRF. Implement Web Application Firewall (WAF) rules to detect and block CSRF and XSS attack patterns targeting the plugin’s endpoints. Encourage users to avoid clicking on suspicious links and educate administrators about the risks of CSRF and stored XSS. Monitor web server and application logs for unusual activity indicative of exploitation attempts. If disabling the plugin is not feasible, consider applying custom CSRF tokens and input sanitization measures at the application level as a temporary workaround. Stay updated with vendor announcements for official patches and apply them promptly once available. Conduct regular security assessments and penetration tests focusing on comment notification features to detect residual vulnerabilities.