Skip to main content

Insert Code WordPress Plugin CVE-2025-28932

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in BCS Website Solutions Insert Code allows Stored XSS. This issue affects Insert Code: from n/a through 2.4.

AnalysisAI

Stored XSS via CSRF in Insert Code WordPress plugin versions through 2.4 allows unauthenticated remote attackers to inject malicious scripts by tricking authenticated administrators into executing forged requests. The CSRF weakness (CWE-352) enables attackers to bypass normal access controls and store XSS payloads in the plugin's code insertion functionality. With CVSS 7.1 (High) and changed scope (S:C), successful exploitation impacts confidentiality, integrity, and availability across security boundaries. EPSS score of 0.05% (14th percentile) indicates low probability of mass exploitation, and no public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

Insert Code is a WordPress plugin by BCS Website Solutions that allows administrators to inject custom HTML, CSS, or JavaScript into WordPress sites. The vulnerability chain combines CWE-352 (Cross-Site Request Forgery) with stored XSS. CSRF occurs when the plugin fails to validate anti-CSRF tokens or nonces on administrative functions that accept and store code snippets. This allows attackers to craft malicious forms on external sites that, when submitted by an authenticated WordPress admin, insert attacker-controlled JavaScript into the plugin's storage. The stored XSS payload then executes in the context of the WordPress site whenever the injected code is rendered, affecting all users including other administrators. The changed scope (S:C) in CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates the injected code can escape the plugin's security context and impact the broader WordPress application.

Affected ProductsAI

Insert Code WordPress plugin by BCS Website Solutions, versions from initial release through 2.4. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/insert-code/vulnerability/wordpress-insert-code-plugin-2-4-csrf-to-stored-xss-vulnerability provides vulnerability details. No CPE identifiers available in provided data. All WordPress installations running vulnerable Insert Code versions with administrative users potentially susceptible to CSRF attacks are affected.

RemediationAI

Primary mitigation: Immediately update Insert Code plugin to version 2.5 or later if available (patch version not independently confirmed from provided data - verify current version at WordPress.org plugin repository or Patchstack advisory https://patchstack.com/database/wordpress/plugin/insert-code/vulnerability/wordpress-insert-code-plugin-2-4-csrf-to-stored-xss-vulnerability). If no patched version exists, disable and remove the Insert Code plugin entirely and migrate functionality to alternative code injection plugins with verified CSRF protections such as Code Snippets or Header Footer Code Manager. Compensating controls if plugin must remain active: Implement WordPress security plugins with CSRF protection capabilities, restrict plugin administrative access to minimal trusted users via role-based access control, educate administrators to never click external links while logged into WordPress admin panel, and enable WordPress audit logging to detect unauthorized code injection attempts. Note that disabling the plugin eliminates attack surface but removes intended functionality.

Share

CVE-2025-28932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy