CVE-2025-49346
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Stored XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.
Analysis
Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.
Technical Context
Simple Archive Generator is a WordPress plugin that provides archive functionality for blog posts and content. The vulnerability stems from missing or improper CSRF token validation (CWE-352) in the plugin's administrative functions, allowing cross-origin requests to perform state-changing operations without verification. The plugin processes requests that modify data structures or execute functions without sufficient origin validation, and the CSRF attack vector can be weaponized to inject stored XSS payloads through archive-related fields. WordPress plugins running in the wp-content/plugins directory are particularly susceptible when CSRF protections rely solely on nonces that are not properly validated across all user-facing actions.
Affected Products
Simple Archive Generator WordPress plugin versions 5.2 and earlier are affected. The plugin is distributed via the WordPress Plugin Directory and managed by peterwsterling. Affected installations include all deployments of Simple Archive Generator from the earliest version through version 5.2 inclusive. WordPress sites running this plugin should consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve for version-specific details.
Remediation
Upgrade Simple Archive Generator to a version newer than 5.2; the vendor has released patched versions addressing the CSRF vulnerability. Users should navigate to the WordPress Plugins dashboard, locate Simple Archive Generator, and click the update button to retrieve the patched version, or manually download the latest release from the WordPress Plugin Directory. As an interim workaround, administrators should restrict plugin access to trusted users, disable plugin functionality via code if not in active use, or implement network-level controls to prevent admin accounts from accessing untrusted external sites that could host CSRF attack pages. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) for confirmation of patched version availability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today