Skip to main content

CVE-2025-49344

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in reneade SensitiveTagCloud sensitive-tag-cloud allows Stored XSS.This issue affects SensitiveTagCloud: from n/a through <= 1.4.1.

AnalysisAI

Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).

Technical ContextAI

The vulnerability stems from missing or insufficient CSRF token validation (CWE-352) in the SensitiveTagCloud WordPress plugin, a tool designed to display tag clouds with sensitivity filtering. WordPress plugins are executed in the context of the WordPress application, which provides CSRF protection mechanisms via nonces that must be properly implemented in all state-changing requests. The combination of CSRF with stored XSS indicates that an attacker could craft a malicious page that tricks an authenticated administrator into visiting it, triggering an unvalidated request that modifies plugin settings or injects malicious JavaScript into the stored tag cloud data. This represents a chain attack where CSRF is the delivery mechanism and stored XSS is the payload, affecting users of the plugin across all WordPress installations where SensitiveTagCloud version 1.4.1 or earlier is active.

Affected ProductsAI

The SensitiveTagCloud WordPress plugin by reneade is affected in all versions through 1.4.1. This is a WordPress plugin component distributed via the WordPress plugin repository. The vulnerability impacts any WordPress installation running SensitiveTagCloud version 1.4.1 or earlier where administrators may be targeted by CSRF attacks.

RemediationAI

Update the SensitiveTagCloud plugin to a version released after 1.4.1. Administrators should immediately upgrade to the latest available version from the WordPress plugin repository. In the interim, administrators should implement WordPress security best practices including enforcing strong passwords, limiting administrator account exposure, and using security plugins that provide additional CSRF protection. Additional details and advisories are available from Patchstack's vulnerability database entry for this plugin.

Share

CVE-2025-49344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy