WP jQuery Persian Datepicker CVE-2025-28861
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker allows Stored XSS. This issue affects WP jQuery Persian Datepicker: from n/a through 0.1.0.
AnalysisAI
CSRF vulnerability in WP jQuery Persian Datepicker plugin for WordPress enables stored cross-site scripting attacks through versions up to 0.1.0. Attackers can trick authenticated administrators into submitting malicious payloads that persist in the application, enabling later exploitation against other users. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit code exists at time of analysis.
Technical ContextAI
This vulnerability chain exploits Cross-Site Request Forgery (CWE-352) as an attack vector to achieve stored XSS injection in a WordPress datepicker plugin. The affected component (cpe:2.3:a:bhzad:wp_jquery_persian_datepicker:*:*:*:*:*:wordpress:*:*) lacks CSRF tokens or proper request validation on configuration endpoints, allowing attackers to forge administrative requests. When combined with insufficient output encoding, this enables malicious JavaScript to be stored in plugin settings or data fields and executed in victim browsers during subsequent page loads. The CVSS scope change (S:C) indicates the vulnerability enables attacks beyond the plugin's normal security context, affecting the broader WordPress installation.
RemediationAI
Upstream fix availability not confirmed from provided data sources - Patchstack reference documents the vulnerability but does not specify a patched version number beyond noting 0.1.0 as the latest affected version. Recommended immediate action: remove or disable WP jQuery Persian Datepicker plugin until vendor releases security update. Compensating controls include implementing Web Application Firewall rules to block requests with suspicious JavaScript patterns in form submissions, restricting WordPress admin panel access to trusted IP addresses only (reduces CSRF attack surface but impairs remote administration capabilities), and educating administrators to avoid clicking external links while logged into WordPress admin (relies on user behavior, not technical control). Monitor Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpjqp-datepicker/ for patch release announcements. If plugin functionality is business-critical, consider migrating to actively maintained alternative datepicker solutions with established security track records.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today