Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai Post Author allows Stored XSS. This issue affects Post Author: from n/a through 1.1.1.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.
Technical ContextAI
The vulnerability stems from inadequate CSRF token validation (CWE-352) in the David Shabtai Post Author plugin, a WordPress plugin designed to manage and display post authorship information. The root cause is the failure to implement or properly verify anti-CSRF tokens on state-changing operations, allowing attackers to forge requests from victim browsers. The flaw is compounded by insufficient input sanitization, permitting the injection of malicious script content that persists in the database as Stored XSS. The plugin processes user-supplied data without proper escaping before output rendering, violating WordPress security best practices. This combination of CSRF + Stored XSS (rather than CSRF alone) significantly elevates the impact from session hijacking to persistent malicious script injection affecting all site visitors.
RemediationAI
Immediate remediation steps: (1) Deactivate and remove the David Shabtai Post Author plugin from all WordPress installations until a patched version is released; (2) Search the WordPress site database for suspicious content injected via the plugin (look for script tags or unusual modifications to post metadata); (3) If Stored XSS has been injected, sanitize database entries and audit user accounts for unauthorized access; (4) Monitor WordPress logs and user activity for signs of compromise. Long-term: update to the latest patched version once released by the vendor (version >1.1.1 or awaiting vendor advisory). Workaround: If the plugin is essential, temporarily restrict plugin access via WordPress user role management and implement Web Application Firewall (WAF) rules to block script injection patterns. Check the official WordPress.org plugin repository or vendor website for security advisories and patched releases.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17167