CVE-2025-23694: 
WordPress vulnerability analysis and mitigation

The Cross-Site Request Forgery (CSRF) vulnerability (CVE-2025-23694) was discovered in Shabbos Commerce's Shabbos and Yom Tov WordPress plugin, affecting versions up to and including 1.9. The vulnerability was disclosed on January 16, 2025, by security researcher SOPROBRO. The issue stems from missing or incorrect nonce validation on a function, which can lead to Stored Cross-Site Scripting (XSS) attacks (WPScan, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The issue is classified under CWE-352 (Cross-Site Request Forgery). The vulnerability allows for CSRF attacks that can lead to stored XSS, potentially enabling attackers to inject malicious web scripts through forged requests (Patchstack).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via forged requests, provided they can trick a site administrator into performing specific actions such as clicking on a malicious link (WPScan).

As of the disclosure date, there is no known fix available for this vulnerability. Users of the affected plugin versions should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (WPScan).