wpNamedUsers CVE-2025-48083
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through <= 0.5.
AnalysisAI
Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.
Technical ContextAI
This is a chained vulnerability in the wpNamedUsers WordPress plugin affecting versions through 0.5. The root cause is CWE-352 (Cross-Site Request Forgery), where the plugin fails to implement WordPress nonce validation or other anti-CSRF tokens on administrative functions. This CSRF weakness serves as the attack vector for CWE-79 (Stored XSS), allowing attackers to bypass origin validation and inject JavaScript payloads that persist in the WordPress database. The changed scope (S:C) in the CVSS vector indicates the XSS payload executes in victim browsers under a different security context than the vulnerable plugin, enabling cross-origin attacks. WordPress plugins commonly expose administrative endpoints without proper CSRF protection, making this a prevalent vulnerability class in the ecosystem.
Affected ProductsAI
WordPress wpNamedUsers plugin versions 0.5 and earlier are vulnerable. The plugin, developed by andriassundskard, is available through the WordPress plugin repository. Patchstack database entry confirms vulnerability affects all versions up to and including 0.5. Organizations can verify installation by checking wp-content/plugins/wpnamedusers/ directory or WordPress admin panel under installed plugins. No specific CPE identifier is available in the provided data. Vendor advisory or patch information from the plugin author has not been independently confirmed in available references.
RemediationAI
Primary mitigation: Immediately disable and remove wpNamedUsers plugin version 0.5 and earlier from all WordPress installations until a patched version is released by the plugin author. Verify removal by checking wp-content/plugins/ directory and WordPress admin panel. Monitor the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpnamedusers/vulnerability/wordpress-wpnamedusers-plugin-0-5-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve for vendor patch announcements. Compensating controls if plugin functionality is business-critical: restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules (reduces CSRF attack surface but limits remote administration); implement Web Application Firewall rules to block requests with suspicious JavaScript patterns in POST parameters (may cause false positives with legitimate HTML content); mandate security awareness training for administrators on recognizing phishing and social engineering attempts that deliver CSRF payloads. Note these workarounds do not address the root vulnerability and plugin should be replaced with an alternative solution or removed entirely.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today