Description
The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting
Action: Apply patch
AI Analysis

Impact

The LinkedIn Resume plugin for WordPress contains a missing or incorrect nonce check in the linkedinresume_printAdminPage() function. This flaw allows an attacker, without authentication, to issue a forged request that updates the plugin’s settings and stores a malicious script. That stored script is then executed when a site administrator visits the affected admin page, enabling cross‑site scripting in the context of privileged users and potentially allowing disclosure of sensitive data, defacement, or session hijacking. The underlying weakness is identified as Cross‑Site Request Forgery (CWE‑352).

Affected Systems

Any WordPress site running the LinkedIn Resume plugin version 2.00 or earlier. The affected vendor is bondnono and the product name is LinkedIn Resume.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. The EPSS score of less than 1% suggests a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers must convince a site administrator to click a malicious link or otherwise trigger the forged request, but once the request is sent, the stored script is automatically executed. While the likelihood of exploitation is low, the impact on an administrator’s session can be significant once executed, making it important to mitigate as soon as possible.

Generated by OpenCVE AI on April 22, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LinkedIn Resume to the latest version (if greater than 2.00 exists) or uninstall the plugin entirely.
  • If an update is not available, patch the plugin by adding proper nonce verification or by disabling the linkedinresume_printAdminPage() function so that it no longer processes incoming requests.
  • Restrict administrator access to trusted IP addresses, enable two‑factor authentication, and monitor for unfamiliar changes to plugin settings to detect potential covert exploitation.

Generated by OpenCVE AI on April 22, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Bondnono
Bondnono linkedin Resume
Wordpress
Wordpress wordpress
Vendors & Products Bondnono
Bondnono linkedin Resume
Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title LinkedIn Resume <= 2.00 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Bondnono Linkedin Resume
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:11.637Z

Reserved: 2025-10-28T14:28:21.667Z

Link: CVE-2025-12402

cve-icon Vulnrichment

Updated: 2025-11-04T15:52:13.801Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:12.567

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses