Skip to main content

WP jQuery Persian Datepicker CVE-2025-28861

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 25, 2026 - 00:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:42 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker allows Stored XSS. This issue affects WP jQuery Persian Datepicker: from n/a through 0.1.0.

AnalysisAI

CSRF vulnerability in WP jQuery Persian Datepicker plugin for WordPress enables stored cross-site scripting attacks through versions up to 0.1.0. Attackers can trick authenticated administrators into submitting malicious payloads that persist in the application, enabling later exploitation against other users. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit code exists at time of analysis.

Technical ContextAI

This vulnerability chain exploits Cross-Site Request Forgery (CWE-352) as an attack vector to achieve stored XSS injection in a WordPress datepicker plugin. The affected component (cpe:2.3:a:bhzad:wp_jquery_persian_datepicker:*:*:*:*:*:wordpress:*:*) lacks CSRF tokens or proper request validation on configuration endpoints, allowing attackers to forge administrative requests. When combined with insufficient output encoding, this enables malicious JavaScript to be stored in plugin settings or data fields and executed in victim browsers during subsequent page loads. The CVSS scope change (S:C) indicates the vulnerability enables attacks beyond the plugin's normal security context, affecting the broader WordPress installation.

RemediationAI

Upstream fix availability not confirmed from provided data sources - Patchstack reference documents the vulnerability but does not specify a patched version number beyond noting 0.1.0 as the latest affected version. Recommended immediate action: remove or disable WP jQuery Persian Datepicker plugin until vendor releases security update. Compensating controls include implementing Web Application Firewall rules to block requests with suspicious JavaScript patterns in form submissions, restricting WordPress admin panel access to trusted IP addresses only (reduces CSRF attack surface but impairs remote administration capabilities), and educating administrators to avoid clicking external links while logged into WordPress admin (relies on user behavior, not technical control). Monitor Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpjqp-datepicker/ for patch release announcements. If plugin functionality is business-critical, consider migrating to actively maintained alternative datepicker solutions with established security track records.

Share

CVE-2025-28861 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy