Skip to main content

CVE-2025-49346

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 05:16 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.

AnalysisAI

Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.

Technical ContextAI

Simple Archive Generator is a WordPress plugin that provides archive functionality for blog posts and content. The vulnerability stems from missing or improper CSRF token validation (CWE-352) in the plugin's administrative functions, allowing cross-origin requests to perform state-changing operations without verification. The plugin processes requests that modify data structures or execute functions without sufficient origin validation, and the CSRF attack vector can be weaponized to inject stored XSS payloads through archive-related fields. WordPress plugins running in the wp-content/plugins directory are particularly susceptible when CSRF protections rely solely on nonces that are not properly validated across all user-facing actions.

Affected ProductsAI

Simple Archive Generator WordPress plugin versions 5.2 and earlier are affected. The plugin is distributed via the WordPress Plugin Directory and managed by peterwsterling. Affected installations include all deployments of Simple Archive Generator from the earliest version through version 5.2 inclusive. WordPress sites running this plugin should consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for version-specific details.

RemediationAI

Upgrade Simple Archive Generator to a version newer than 5.2; the vendor has released patched versions addressing the CSRF vulnerability. Users should navigate to the WordPress Plugins dashboard, locate Simple Archive Generator, and click the update button to retrieve the patched version, or manually download the latest release from the WordPress Plugin Directory. As an interim workaround, administrators should restrict plugin access to trusted users, disable plugin functionality via code if not in active use, or implement network-level controls to prevent admin accounts from accessing untrusted external sites that could host CSRF attack pages. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for confirmation of patched version availability.

Share

CVE-2025-49346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy