CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-23922

CVSS 10.0v3.1pub. 2025-01-16upd. 2026-04-23

Cross-Site Request Forgery (CSRF) vulnerability in Harsh iSpring Embedder embed-ispring allows Upload a Web Shell to a Web Server.This issue affects iSpring Embedder: from n/a through <= 1.0.

🤖 AI Analysis
How it works

An attacker exploits the lack of CSRF verification mechanism in the iSpring Embedder plugin, which allows tricking a logged-in WordPress user (e.g., administrator) into unknowingly sending a crafted HTTP request. This request initiates file upload to the server without the user's knowledge or consent. In this way, an attacker can place a web shell on the server — a malicious script enabling remote execution of system commands.

Impact

An attacker gains the ability to execute arbitrary code remotely on the server (RCE via web shell), which can lead to complete server takeover, data leakage, and breach of system integrity and availability.

Mitigation & patch

Patches available from the vendor should be applied according to references. Until updating, it is recommended to deactivate or remove the iSpring Embedder plugin from all WordPress installations.

Who is affected

WordPress plugin iSpring Embedder (embed-ispring) in version 1.0 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References