Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light allows Stored XSS. This issue affects Widgetize Pages Light: from n/a through 3.0.
AnalysisAI
Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.
Technical ContextAI
The vulnerability stems from insufficient CSRF token validation (CWE-352) in the OTWthemes Widgetize Pages Light WordPress plugin, a page-building/widget management extension. WordPress plugins commonly handle widget configuration and page customization through POST/GET requests; this plugin fails to properly validate nonce tokens or implement same-site request restrictions. The combination of CSRF weakness with Stored XSS indicates the vulnerability allows attackers to inject malicious JavaScript code into page widgets or content that persists in the database and executes for all users, bypassing content sanitization. The affected product is identified as OTWthemes Widgetize Pages Light, affecting all versions from inception through version 3.0, suggesting the vulnerability exists across the entire documented release history.
RemediationAI
Immediate actions: (1) Update OTWthemes Widgetize Pages Light to version 3.1 or later if available (vendor should have released a patch addressing CSRF token validation and XSS sanitization). (2) If no patch is available, deactivate and remove the plugin pending vendor security release. (3) Implement WordPress security hardening: enable nonce verification via wp_verify_nonce(), use wp_kses_post() for output escaping, and implement Content Security Policy headers. (4) For administrators: audit recent widget changes in the plugin's configuration, check for suspicious JavaScript in widget content, and review user activity logs for unauthorized modifications. (5) Consider using Web Application Firewall (WAF) rules to block requests without valid CSRF tokens to OTWthemes admin pages. (6) Reset session cookies for all administrative users to invalidate any hijacked sessions if compromise is suspected.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17236