EUVD-2025-28465

| CVE-2025-52790 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28465
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF XSS WordPress PHP

Description

Cross-Site Request Forgery (CSRF) vulnerability in r-win WP-DownloadCounter allows Stored XSS. This issue affects WP-DownloadCounter: from n/a through 1.01.

Analysis

CVE-2025-52790 is a CSRF vulnerability in the r-win WP-DownloadCounter WordPress plugin (versions through 1.01) that enables Stored XSS attacks. An attacker can craft malicious requests that, when clicked by an administrator, inject persistent JavaScript into the plugin's data storage, affecting all site visitors. The CVSS 7.1 score reflects moderate severity with network-based attack delivery and user interaction requirements, though the actual exploitability and active exploitation status require verification against KEV and EPSS data.

Technical Context

WP-DownloadCounter is a WordPress plugin (CPE likely: cpe:2.3:a:r-win:wp-downloadcounter) that manages and tracks file downloads. The vulnerability combines two attack classes: CWE-352 (Cross-Site Request Forgery) and Stored XSS. The root cause is insufficient CSRF token validation and output encoding in plugin functionality. When a CSRF request is processed without proper nonce verification, attacker-supplied input is stored in the plugin's database without sanitization. Subsequent retrieval and rendering of this data to administrators or users results in arbitrary JavaScript execution. The vulnerability affects WordPress plugin architecture where POST/GET parameters controlling download metadata, settings, or logs are not adequately protected by WordPress nonces or verified for origin.

Affected Products

r-win WP-DownloadCounter (1.01 and earlier ("through 1.01" suggests all versions ≤ 1.01))

Remediation

- action: Update Plugin; details: Upgrade r-win WP-DownloadCounter to version 1.02 or later (assume patched version exists post-1.01; verify via wordpress.org plugin repository or vendor advisory). - action: CSRF Protection; details: Ensure all plugin forms implement WordPress nonce validation (wp_verify_nonce()) on POST requests. This blocks CSRF exploitation by validating origin-specific tokens. - action: Output Encoding; details: Sanitize and escape all user-supplied data before storage (sanitize_text_field(), wp_kses_post()) and before display (esc_html(), esc_attr(), wp_kses_post()). This prevents Stored XSS. - action: Immediate Workaround; details: If patch unavailable, disable r-win WP-DownloadCounter until patched version is released, or restrict admin access via .htaccess/firewall rules to minimize CSRF attack surface. - action: Verify Patch; details: Check WordPress.org plugin repository (wordpress.org/plugins/wp-downloadcounter) for version history and security notices. Review vendor advisories from r-win.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

EUVD-2025-28465 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy