CVE-2025-49345

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 06:15 nvd
N/A

Tags

WordPress PHP CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.

Analysis

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

Technical Context

This vulnerability exploits missing or inadequate CSRF token validation (CWE-352) in the WP-EasyArchives plugin, a WordPress extension for archiving and organizing content. The plugin fails to properly implement security tokens (nonces) that prevent forged cross-origin requests. When combined with insufficient input sanitization or output encoding, an attacker can leverage CSRF to modify plugin settings or inject malicious content that persists in the WordPress database. The attack requires user interaction (an administrator must visit a malicious site while logged into WordPress), but once successful, the stored XSS payload affects all visitors to the compromised WordPress installation.

Affected Products

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier are affected. The plugin is distributed through the official WordPress plugin repository. All installations using versions up to and including 3.1.2 are vulnerable. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability for detailed version confirmation and timeline information.

Remediation

Upgrade WP-EasyArchives to a patched version released after 3.1.2 through the WordPress plugin update mechanism. Check the official WP-EasyArchives plugin page or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-easyarchives/vulnerability/wordpress-wp-easyarchives-plugin-3-1-2-cross-site-request-forgery-csrf-vulnerability) for the exact patched version number and release date. As an interim workaround pending patch availability, restrict plugin settings modification to trusted administrators only and implement Web Application Firewall (WAF) rules to detect and block forged requests with missing or invalid nonce tokens. Disable the plugin temporarily if administrative access cannot be adequately restricted.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49345 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy