The vulnerability CVE-2025-25154 affects the scweber Custom Comment Notifications plugin (<= 1.0.8) and is characterized as a Cross-Site Request Forgery (CSRF) that enables stored Cross-Site Scripting (XSS). An attacker can exploit this by tricking an authenticated user into submitting a crafted request, which leads to malicious script storage and execution within the application context. The CVSS 3.1 base score of 7.1 reflects the network attack vector, low complexity, no privileges required, but requiring user interaction, with impacts on confidentiality, integrity, and availability. There is no indication of known exploits in the wild or vendor-provided patches at this time.

Successful exploitation of this vulnerability can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of affected users. This can compromise user confidentiality, integrity, and availability of the affected system. The CSRF aspect means that attackers can induce authenticated users to perform unwanted actions without their consent. The overall impact is rated high due to the combination of CSRF and stored XSS.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting the use of the affected Custom Comment Notifications plugin to reduce exposure. Monitoring vendor channels for updates is recommended.