Description
The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Plugin
AI Analysis

Impact

The Label Plugins plugin for WordPress contains a missing nonce validation in the label_plugins_options() function, which allows attackers to forge a request that updates plugin settings and injects malicious scripts. The injected scripts are stored and executed in the context of site administrators or other users, enabling theft of credentials, defacement, or other compromised user actions. This flaw is a Cross‑Site Request Forgery that leads to Stored Cross‑Site Scripting and is classified as CWE‑352.

Affected Systems

The only affected vendor/product is theode:Label Plugins for versions up to and including 0.5. No other versions are listed, and no additional affected products are identified in the data.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity risk, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack likely requires a site administrator to be tricked into clicking a crafted link or link in an email, after which the forged request runs with the administrator's privileges to store the malicious script. Because the vulnerability is exploitable without authentication but depends on user interaction, the overall risk is moderate with a low exploitation likelihood.

Generated by OpenCVE AI on April 22, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Label Plugins to the latest available version that contains the nonce validation fix.
  • If an immediate update is not possible, temporarily disable or delete the plugin to eliminate the vulnerable code path.
  • As a temporary workaround, manually add nonce or capability checks to the label_plugins_options() handler to prevent unauthorized changes, or remove the settings endpoint altogether.

Generated by OpenCVE AI on April 22, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Label Plugins <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:21.143Z

Reserved: 2025-10-28T14:26:10.492Z

Link: CVE-2025-12401

cve-icon Vulnrichment

Updated: 2025-11-04T18:48:40.026Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T04:15:37.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses