Skip to main content

CVE-2025-49345

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.

AnalysisAI

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

Technical ContextAI

This vulnerability exploits missing or inadequate CSRF token validation (CWE-352) in the WP-EasyArchives plugin, a WordPress extension for archiving and organizing content. The plugin fails to properly implement security tokens (nonces) that prevent forged cross-origin requests. When combined with insufficient input sanitization or output encoding, an attacker can leverage CSRF to modify plugin settings or inject malicious content that persists in the WordPress database. The attack requires user interaction (an administrator must visit a malicious site while logged into WordPress), but once successful, the stored XSS payload affects all visitors to the compromised WordPress installation.

Affected ProductsAI

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier are affected. The plugin is distributed through the official WordPress plugin repository. All installations using versions up to and including 3.1.2 are vulnerable. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability for detailed version confirmation and timeline information.

RemediationAI

Upgrade WP-EasyArchives to a patched version released after 3.1.2 through the WordPress plugin update mechanism. Check the official WP-EasyArchives plugin page or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability) for the exact patched version number and release date. As an interim workaround pending patch availability, restrict plugin settings modification to trusted administrators only and implement Web Application Firewall (WAF) rules to detect and block forged requests with missing or invalid nonce tokens. Disable the plugin temporarily if administrative access cannot be adequately restricted.

Share

CVE-2025-49345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy