CVE-2025-23617: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Oliver Schaal's Floatbox Plus WordPress plugin, affecting versions up to 1.4.4. The vulnerability was reported on October 28, 2024, and publicly disclosed on January 16, 2025. The issue allows for Stored Cross-Site Scripting (XSS) attacks (Patchstack).

The vulnerability has been assigned CVE-2025-23617 and received a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to execute unwanted actions through CSRF attacks that can lead to stored XSS (Patchstack, NVD).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The severity is considered high according to the CVSS score, though Patchstack has classified it as having a low priority impact that is unlikely to be exploited (Patchstack).

Currently, there is no official fix available for this vulnerability in the Floatbox Plus plugin. The latest affected version is 1.4.4, and no patched version has been released as of the disclosure date (Patchstack).