CVE-2025-25152: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in LukaszWiecek Smart DoFollow WordPress plugin, affecting versions through 1.0.2. The vulnerability was disclosed on February 7, 2025, and was assigned CVE-2025-25152. This security flaw allows attackers to perform Stored Cross-Site Scripting (XSS) attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The CSRF vulnerability can be exploited by unauthenticated attackers and potentially leads to stored XSS attacks (NVD).

The vulnerability allows malicious actors to force higher privileged users to execute unwanted actions under their current authentication, which can lead to stored XSS attacks. This combination of CSRF and stored XSS could potentially compromise the security of the affected WordPress installations (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Users of the Smart DoFollow plugin version 1.0.2 or earlier should consider removing or disabling the plugin until a security patch is released (Patchstack).