EUVD-2025-17153

| CVE-2025-49453 HIGH
2025-06-06 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17153
CVE Published
Jun 06, 2025 - 13:16 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Jatinder Pal Singh BP Profile as Homepage allows Stored XSS. This issue affects BP Profile as Homepage: from n/a through 1.1.

Analysis

CSRF vulnerability in Jatinder Pal Singh BP Profile as Homepage plugin (versions through 1.1) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a malicious web request to inject persistent JavaScript into the application, affecting all users who view the compromised profile. The vulnerability requires user interaction (CVSS UI:R) but has cross-site scope impact (S:C), resulting in a 7.1 medium-high severity rating; KEV status and active exploitation data are not currently available in public disclosures.

Technical Context

This vulnerability combines two distinct weaknesses: CWE-352 (Cross-Site Request Forgery) and Stored XSS. The root cause is insufficient CSRF token validation in the BP Profile as Homepage plugin, allowing attackers to craft forged requests that modify user profile data. The Stored XSS component indicates that input validation is also bypassed, permitting JavaScript payloads to be persisted in the profile homepage field. When other users visit the affected profile (AV:N - Network accessible), the malicious script executes in their browsers. The plugin likely runs on WordPress or similar CMS platforms given the naming convention. No specific CPE data was provided, but the affected product is: Jatinder Pal Singh BP Profile as Homepage, versions 1.1 and earlier.

Affected Products

- vendor: Jatinder Pal Singh; product: BP Profile as Homepage; affected_versions: through 1.1; status: Vulnerable

Remediation

1. Update BP Profile as Homepage plugin to version 1.2 or later immediately. 2. If running version 1.1, disable the plugin until patching. 3. Workaround: Implement a Web Application Firewall (WAF) rule to block POST requests to profile modification endpoints lacking valid CSRF tokens. 4. Conduct a site audit to identify and remove any injected JavaScript from user profiles created during the vulnerability window. 5. Implement Content Security Policy (CSP) headers to mitigate XSS impact. 6. Review user profile content for malicious scripts and sanitize stored data. Note: No vendor advisory URL or specific patch version number was provided in the CVE data; consult the official plugin repository or vendor website for patch availability.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-17153 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy