Skip to main content

Atakan Au Import CDN-Remote Images CVE-2025-48153

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au Import CDN-Remote Images import-cdn-remote-images allows Stored XSS.This issue affects Import CDN-Remote Images: from n/a through <= 2.1.2.

AnalysisAI

Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.

Technical ContextAI

This vulnerability combines two attack classes: CWE-352 (Cross-Site Request Forgery) and stored XSS. The root cause is insufficient CSRF token validation in the Import CDN-Remote Images WordPress plugin, which allows an attacker to forge requests on behalf of authenticated administrators. When a CSRF protection is missing or improperly implemented, an attacker can craft HTML or JavaScript on an external site that, when visited by a logged-in WordPress administrator, executes requests against the vulnerable plugin without the administrator's knowledge. The forged request can modify plugin settings or inject malicious content that gets stored in the WordPress database, resulting in persistent XSS that executes in the browsers of all site visitors. The plugin processes remote image imports, making it a vector for injecting malicious payloads into supposedly legitimate image metadata or import configurations.

Affected ProductsAI

The Import CDN-Remote Images WordPress plugin is affected in versions from an unspecified baseline through version 2.1.2 inclusive. The plugin is hosted on the WordPress.org plugin repository and identified by slug 'import-cdn-remote-images'. The vulnerability was reported by Patchstack's security audit team and documented in their vulnerability database.

RemediationAI

WordPress site administrators should update the Import CDN-Remote Images plugin to a patched version beyond 2.1.2 as soon as available from the WordPress.org plugin repository. Check the official Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/import-cdn-remote-images/vulnerability/wordpress-import-cdn-remote-images-plugin-2-1-2-cross-site-request-forgery-csrf-vulnerability) for confirmation of patched version availability and detailed remediation steps. As an interim mitigation, administrators should disable the plugin until a patched version is confirmed released, and review plugin settings and imported content for signs of unauthorized modification or injected scripts. Additionally, ensure all WordPress administrators use strong, unique passwords and consider implementing HTTP-only cookies and SameSite cookie attributes to mitigate CSRF attack vectors.

Share

CVE-2025-48153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy