CVE-2025-49343
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in socialprofilr Social Profilr social-profilr-display-social-network-profile allows Stored XSS.This issue affects Social Profilr: from n/a through <= 1.0.
Analysis
Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
Technical Context
Social Profilr is a WordPress plugin designed to display social network profiles. The vulnerability stems from inadequate CSRF token validation (CWE-352) in the plugin's functionality, allowing attackers to craft malicious requests that, when executed by an authenticated administrator, can trigger unintended state-changing operations. The plugin lacks proper nonce verification or CSRF protection mechanisms in its administrative actions. WordPress plugins are server-side PHP applications that extend WordPress functionality; this particular plugin handles social network profile display, making it a target for attacks that could compromise site appearance and user trust.
Affected Products
The vulnerability affects the Social Profilr WordPress plugin (socialprofilr/social-profilr-display-social-network-profile) in version 1.0 and all earlier versions. The plugin is distributed through the WordPress plugin repository and alternative sources. Affected systems include WordPress installations running this plugin on any version of WordPress that supports the plugin. Further details are available in the Patchstack database entry referenced in the advisories.
Remediation
Update the Social Profilr plugin to a version newer than 1.0 if available from the plugin repository or the vendor. If no patched version is currently available, disable and remove the plugin from your WordPress installation until a secure version is released. Administrators should verify plugin updates through the WordPress admin dashboard (Plugins > Installed Plugins) and enable automatic updates where possible. Review the Patchstack database entry and the plugin's official repository for the latest version information and security advisories. As a temporary control, restrict administrative access to trusted users and educate administrators about not clicking suspicious links from untrusted sources.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today