Cross-Site Request Forgery Vulnerability in Thunderbax WP Admin Custom Page
CVE-2025-25072

7.1HIGH

Key Information:

Vendor: WordPress
Status: WP Admin Custom Page
Vendor: CVE Published:; 7 February 2025

What is CVE-2025-25072?

A Cross-Site Request Forgery vulnerability has been identified in Thunderbax WP Admin Custom Page, enabling attackers to perform unauthorized actions on behalf of a user. This flaw can result in Stored XSS, potentially allowing malicious scripts to be executed within the context of the logged-in user. The vulnerability spans versions from n/a up to 1.5.0, making it critical for users to apply necessary updates and patches promptly to mitigate these risks.

Affected Version(s)

WP Admin Custom Page <= 1.5.0

References

https://patchstack.com/database/wordpress/plugin/wp-admin...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Feb 3, 2025

Credit

SOPROBRO (Patchstack Alliance)