EUVD-2025-28459

| CVE-2025-52780 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28459
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Mohammad Parsa Logo Manager For Samandehi allows Stored XSS. This issue affects Logo Manager For Samandehi: from n/a through 0.5.

Analysis

CVE-2025-52780 is a CSRF vulnerability in Mohammad Parsa Logo Manager For Samandehi (versions through 0.5) that enables Stored XSS attacks, allowing unauthenticated attackers to perform unauthorized actions and inject malicious scripts affecting other users. The vulnerability has a CVSS score of 7.1 (High) and exploits weak CSRF protections in an admin/management plugin, with the attack requiring user interaction (UI:R) but affecting multiple users via stored payload persistence.

Technical Context

The vulnerability exists in the Logo Manager For Samandehi WordPress plugin, a file/asset management component for the Samandehi e-commerce platform. The root cause is CWE-352 (Cross-Site Request Forgery), which indicates insufficient or missing CSRF token validation on state-changing operations. The plugin fails to implement proper nonce verification on form submissions that modify logo assets, allowing attackers to craft malicious requests. The presence of Stored XSS (as mentioned in the description) suggests the CSRF vulnerability allows injection of unsanitized data into persistent storage, compounding the severity—an attacker can forge a request to submit logo data containing JavaScript payloads that execute in admin and user browsers when the logo is subsequently rendered. This combination of CSRF + Stored XSS creates a persistent threat affecting all site visitors.

Affected Products

Mohammad Parsa Logo Manager For Samandehi (0.5 and earlier (n/a through 0.5 suggests all tracked versions))

Remediation

Update Logo Manager For Samandehi to version > 0.5 when released by Mohammad Parsa. Monitor vendor's official repository/WordPress Plugin Directory for security updates.; priority: Critical Workaround (Temporary): Disable the Logo Manager plugin until a patched version is available. If functionality is required, restrict plugin admin access via firewall rules or .htaccess to trusted IP ranges only.; priority: High Mitigation: Implement Web Application Firewall (WAF) rules to detect and block CSRF attacks targeting logo upload/management endpoints. Monitor for suspicious logo asset submissions containing script tags (<script>, onclick, onerror, etc.). Enforce Content Security Policy (CSP) headers to limit inline script execution.; priority: High Preventive Code Fix: Vendor must implement WordPress nonce verification using wp_verify_nonce() on all POST/PUT requests modifying logo data. Sanitize and escape all logo metadata output with esc_attr(), wp_kses_post(), or equivalent. Validate logo file types server-side.; priority: Critical

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-28459 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy