Skip to main content

Rankchecker.io Integration CVE-2025-28857

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 25, 2026 - 00:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in rankchecker Rankchecker.io Integration allows Stored XSS. This issue affects Rankchecker.io Integration: from n/a through 1.0.9.

AnalysisAI

Stored cross-site scripting (XSS) in Rankchecker.io Integration WordPress plugin versions up to 1.0.9 can be triggered via cross-site request forgery (CSRF), enabling attackers to inject malicious scripts into the application that execute in victims' browsers. While the CVSS base score is 7.1 (High), real-world risk is tempered by the required user interaction (UI:R) and low EPSS score (0.05%, 14th percentile), indicating minimal observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability represents a chained exploitation scenario combining two distinct weaknesses: CWE-352 (Cross-Site Request Forgery) as the initial attack vector and stored XSS as the ultimate payload. The affected product is a WordPress plugin (CPE: cpe:2.3:a:rankchecker:rankchecker:*:*:*:*:*:wordpress:*:*) that integrates Rankchecker.io services. CSRF vulnerabilities occur when web applications fail to validate that requests originate from authenticated users rather than malicious third-party sites. In this case, the missing CSRF token validation allows attackers to craft malicious requests that, when executed by authenticated administrators, inject persistent JavaScript payloads into the WordPress database. The stored XSS component means the malicious script executes whenever any user (including other admins) views the affected page, persisting beyond the initial CSRF attack. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's security boundary, consistent with XSS that executes in the broader WordPress admin context.

RemediationAI

Upgrade Rankchecker.io Integration plugin to version 1.1.0 or later if available, verifying the patch addresses both CSRF token validation and output encoding for stored data. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/rankchecker-io-integration/vulnerability/wordpress-rankchecker-io-integration-plugin-1-0-9-csrf-to-stored-cross-site-scripting-xss-vulnerability for vendor-confirmed fix versions. If no patched version exists or upgrade is delayed, implement compensating controls: disable the Rankchecker.io Integration plugin until patched, restrict WordPress admin access to trusted IP ranges via web application firewall rules (trade-off: limits legitimate remote administration), deploy WordPress security plugins that provide CSRF token validation and XSS filtering at the framework level (trade-off: potential conflicts with legitimate plugin functionality), and educate administrators to avoid clicking external links while authenticated to WordPress (trade-off: relies on human behavior). Review WordPress database tables for suspicious stored content that may have been injected prior to remediation, particularly in plugin-specific settings and post/page content areas.

Share

CVE-2025-28857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy