Create Posts & Terms CVE-2025-49351
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Valentin Agachi Create Posts & Terms create-posts-terms allows Stored XSS.This issue affects Create Posts & Terms: from n/a through <= 1.3.1.
AnalysisAI
Cross-site request forgery (CSRF) in Create Posts & Terms WordPress plugin through version 1.3.1 enables attackers to inject malicious scripts that persist in the application database. Exploitation requires tricking an authenticated administrator into visiting a malicious page while logged into WordPress. The vulnerability chains CSRF with stored XSS, allowing attackers to execute arbitrary JavaScript in victims' browsers across sessions with potential for privilege escalation, data theft, and site compromise. EPSS score and exploitation data not available, but Patchstack database listing indicates security researcher disclosure.
Technical ContextAI
Create Posts & Terms is a WordPress plugin by Valentin Agachi that provides functionality for creating posts and taxonomy terms. The vulnerability stems from insufficient CSRF token validation (CWE-352) on administrative functions that accept user input. WordPress plugins should implement nonce verification using wp_verify_nonce() to validate state-changing requests. The absence of this protection allows attackers to forge requests that appear to originate from legitimate administrators. When combined with inadequate input sanitization, the CSRF enables injection of malicious JavaScript payloads that get stored in the WordPress database, creating a persistent cross-site scripting condition. The stored XSS executes whenever the compromised content is rendered, affecting all users who view the injected data.
Affected ProductsAI
WordPress plugin Create Posts & Terms by Valentin Agachi, all versions through 1.3.1 inclusive. The vulnerability affects installations where the plugin is active and administrators have privileges to create posts or terms. According to Patchstack vulnerability database reference (https://patchstack.com/database/Wordpress/Plugin/create-posts-terms/vulnerability/wordpress-create-posts-terms-plugin-1-3-1-cross-site-request-forgery-csrf-vulnerability), version 1.3.1 and all earlier releases contain the CSRF and stored XSS flaws. CPE data not provided in available intelligence. Specific WordPress core version compatibility requirements unknown but typical WordPress plugin vulnerabilities affect sites running WordPress 4.x through current 6.x releases.
RemediationAI
Update Create Posts & Terms plugin to version 1.3.2 or later if available, verifying patch status through the WordPress plugin repository or Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/create-posts-terms/vulnerability/wordpress-create-posts-terms-plugin-1-3-1-cross-site-request-forgery-csrf-vulnerability. Patched version not independently confirmed from available data-verify current version in WordPress.org plugin directory before deployment. If no patch exists, immediately deactivate and remove the plugin until vendor releases a fix, replacing functionality with alternative plugins that implement proper CSRF protection (WordPress nonces) and input sanitization. As compensating controls if plugin must remain active: restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, implement web application firewall (WAF) rules to detect CSRF attack patterns and XSS payloads in POST requests, enable Content Security Policy headers to limit inline script execution (may break legitimate plugin functionality), and educate administrators to never click links from untrusted sources while authenticated to WordPress admin panel. Monitor WordPress database tables for suspicious JavaScript content in post metadata and term descriptions.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today