WordPress Hashtags Plugin CVE-2025-28931
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in DevriX Hashtags allows Stored XSS. This issue affects Hashtags: from n/a through 0.3.2.
AnalysisAI
Stored cross-site scripting (XSS) in DevriX Hashtags WordPress plugin 0.3.2 and earlier allows remote attackers to inject malicious scripts via CSRF-chained attack. Unauthenticated attackers can trick authenticated administrators into executing malicious requests that persist XSS payloads in the application. EPSS score of 0.05% (14th percentile) indicates low automated exploitation likelihood despite network attack vector. No active exploitation confirmed via CISA KEV, though publicly available exploit code exists. Scope change in CVSS vector indicates malicious script executes in victim's browser context, enabling session hijacking or privilege escalation.
Technical ContextAI
This is a chained vulnerability combining CWE-352 (Cross-Site Request Forgery) with stored XSS in a WordPress plugin. The DevriX Hashtags plugin fails to implement CSRF tokens on administrative endpoints and lacks proper input sanitization. WordPress plugins operate within the WordPress PHP execution environment and typically provide administrative interfaces accessible to authenticated users with sufficient privileges. The CSRF vulnerability allows attackers to bypass WordPress's same-origin policy protections by forging requests from authenticated users. The stored XSS component suggests user-controlled data (likely hashtag values or configuration settings) is persisted to the database without sanitization and then rendered without proper output encoding in administrative panels or public-facing pages. The scope change (S:C) in the CVSS vector indicates the injected JavaScript executes in a different security context than the vulnerable plugin, affecting the broader WordPress installation or site visitors.
Affected ProductsAI
DevriX Hashtags WordPress plugin versions 0.3.2 and all earlier versions are affected. The vulnerability exists in the wp-hashtags plugin package distributed through the WordPress.org plugin repository. No CPE identifier was provided in the available data. Vendor security advisory available at Patchstack database: https://patchstack.com/database/wordpress/plugin/wp-hashtags/vulnerability/wordpress-wordpress-hashtags-plugin-0-3-2-csrf-to-stored-xss-vulnerability
RemediationAI
Immediately update DevriX Hashtags plugin to a version newer than 0.3.2 if available, or remove the plugin entirely if not actively required for business operations. Consult the WordPress.org plugin repository or vendor directly for patched release information, as no specific fix version was confirmed in available data. If update is not immediately possible, implement these compensating controls: disable the Hashtags plugin via WordPress admin panel (Plugins → Deactivate) until patched version is available; restrict WordPress administrative access to trusted IP addresses via .htaccess or firewall rules; implement Content Security Policy headers to mitigate stored XSS execution (note: may break legitimate plugin functionality); enable WordPress activity logging to detect unauthorized configuration changes. For additional defense, configure web application firewall (WAF) rules to block suspicious POST requests to wp-admin endpoints containing script tags or JavaScript event handlers. Advisory references: https://patchstack.com/database/wordpress/plugin/wp-hashtags/vulnerability/wordpress-wordpress-hashtags-plugin-0-3-2-csrf-to-stored-xss-vulnerability
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today