CVE-2025-23713: 
WordPress vulnerability analysis and mitigation

The Hack me if you can WordPress plugin versions up to and including 1.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to Stored Cross-Site Scripting. The vulnerability was discovered by SOPROBRO and publicly disclosed on January 16, 2025. This security issue affects the plugin's functionality due to missing or incorrect nonce validation (WPScan, Patchstack).

The vulnerability stems from improper implementation of security controls, specifically the absence of proper nonce validation in certain functions. The severity of this vulnerability has been assessed with a CVSS score of 6.1 (medium) according to WPScan, while Patchstack rates it at 7.1 (low). The vulnerability is classified under CWE-352 and falls into the OWASP Top 10 category A2: Broken Authentication and Session Management (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts through forged requests, provided they can deceive a site administrator into performing specific actions such as clicking on a malicious link. This could potentially lead to stored cross-site scripting attacks, compromising the website's security (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators using the affected plugin versions should consider removing the plugin until a security patch is released (WPScan).