Skip to main content

CVE-2025-49343

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in socialprofilr Social Profilr social-profilr-display-social-network-profile allows Stored XSS.This issue affects Social Profilr: from n/a through <= 1.0.

AnalysisAI

Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.

Technical ContextAI

Social Profilr is a WordPress plugin designed to display social network profiles. The vulnerability stems from inadequate CSRF token validation (CWE-352) in the plugin's functionality, allowing attackers to craft malicious requests that, when executed by an authenticated administrator, can trigger unintended state-changing operations. The plugin lacks proper nonce verification or CSRF protection mechanisms in its administrative actions. WordPress plugins are server-side PHP applications that extend WordPress functionality; this particular plugin handles social network profile display, making it a target for attacks that could compromise site appearance and user trust.

Affected ProductsAI

The vulnerability affects the Social Profilr WordPress plugin (socialprofilr/social-profilr-display-social-network-profile) in version 1.0 and all earlier versions. The plugin is distributed through the WordPress plugin repository and alternative sources. Affected systems include WordPress installations running this plugin on any version of WordPress that supports the plugin. Further details are available in the Patchstack database entry referenced in the advisories.

RemediationAI

Update the Social Profilr plugin to a version newer than 1.0 if available from the plugin repository or the vendor. If no patched version is currently available, disable and remove the plugin from your WordPress installation until a secure version is released. Administrators should verify plugin updates through the WordPress admin dashboard (Plugins > Installed Plugins) and enable automatic updates where possible. Review the Patchstack database entry and the plugin's official repository for the latest version information and security advisories. As a temporary control, restrict administrative access to trusted users and educate administrators about not clicking suspicious links from untrusted sources.

Share

CVE-2025-49343 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy