CVE-2025-23800: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in David Hamilton's OrangeBox WordPress plugin, affecting versions up to 3.0.0. The vulnerability was initially reported by researcher SOPROBRO on December 1, 2024, and was publicly disclosed on January 16, 2025. The issue was assigned CVE-2025-23800 and received a CVSS v3.1 base score of 7.1 (High) (Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). According to the CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impacts on confidentiality, integrity, and availability (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The severity is considered low priority despite the high CVSS score, as it is deemed unlikely to be exploited in practice (Patchstack).

As of January 2025, no official fix is available for this vulnerability. The issue affects OrangeBox versions up to 3.0.0, and Patchstack has indicated that a virtual patch is unnecessary due to the low severity impact (Patchstack).