CVE-2025-25137

Vulnerability

Overview The Social Links WordPress plugin (versions through 1.0.11) contains a Cross-Site Request Forgery (CSRF) vulnerability that enables stored Cross-Site Scripting (XSS) [1]. The root cause is the lack of CSRF protection on a state-changing operation, allowing an attacker to inject malicious scripts that are stored on the server and later executed in the context of other users.

Exploitation

Conditions To exploit this, an attacker must trick a privileged user (such as an administrator) into clicking a crafted link or visiting a malicious page while authenticated to the WordPress site [1]. No additional privileges are required beyond convincing the user to perform the action. This attack does not require any special network position and can be conducted remotely.

Impact

Successful exploitation results in stored XSS, meaning the injected script is permanently saved and executed each time a victim views the affected page [1]. An attacker could use this to steal session cookies, modify site content, or perform actions on behalf of the targeted user. The vulnerability is known to be used in mass-exploit campaigns, targeting thousands of sites regardless of their popularity [1].

Mitigation

As of the advisory date (March 3, 2025), users are urged to update the Social Links plugin to a patched version if available [1]. If an update is not yet released, administrators should consider disabling the plugin or implementing Web Application Firewall rules as a temporary workaround.