Skip to main content

wpNamedUsers CVE-2025-48083

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 01:04 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through <= 0.5.

AnalysisAI

Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.

Technical ContextAI

This is a chained vulnerability in the wpNamedUsers WordPress plugin affecting versions through 0.5. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to implement WordPress nonce validation or other anti-CSRF tokens on administrative functions. This CSRF weakness serves as the attack vector for CWE-79 (Stored XSS), allowing attackers to bypass origin validation and inject JavaScript payloads that persist in the WordPress database. The changed scope (S:C) in the CVSS vector indicates the XSS payload executes in victim browsers under a different security context than the vulnerable plugin, enabling cross-origin attacks. WordPress plugins commonly expose administrative endpoints without proper CSRF protection, making this a prevalent vulnerability class in the ecosystem.

Affected ProductsAI

WordPress wpNamedUsers plugin versions 0.5 and earlier are vulnerable. The plugin, developed by andriassundskard, is available through the WordPress plugin repository. Patchstack database entry confirms vulnerability affects all versions up to and including 0.5. Organizations can verify installation by checking wp-content/plugins/wpnamedusers/ directory or WordPress admin panel under installed plugins. No specific CPE identifier is available in the provided data. Vendor advisory or patch information from the plugin author has not been independently confirmed in available references.

RemediationAI

Primary mitigation: Immediately disable and remove wpNamedUsers plugin version 0.5 and earlier from all WordPress installations until a patched version is released by the plugin author. Verify removal by checking wp-content/plugins/ directory and WordPress admin panel. Monitor the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpnamedusers/vulnerability/wordpress-wpnamedusers-plugin-0-5-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve for vendor patch announcements. Compensating controls if plugin functionality is business-critical: restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules (reduces CSRF attack surface but limits remote administration); implement Web Application Firewall rules to block requests with suspicious JavaScript patterns in POST parameters (may cause false positives with legitimate HTML content); mandate security awareness training for administrators on recognizing phishing and social engineering attempts that deliver CSRF payloads. Note these workarounds do not address the root vulnerability and plugin should be replaced with an alternative solution or removed entirely.

Share

CVE-2025-48083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy