Description
The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Update Plugin
AI Analysis

Impact

The Associados Amazon Plugin contains a missing or incorrect nonce validation in the brzon_admin_panel() function, allowing an attacker to perform Cross‑Site Request Forgery. An unauthenticated user can trick a site administrator into clicking a crafted link, leading to the automatic update of plugin settings and the injection of malicious scripts stored in the site database. The resulting stored cross‑site scripting can execute inside the browser of any user who visits the affected site. This weakness is classified as CWE‑352 and results in a moderate severity vulnerability with potential for broad compromise once a malicious script runs in the admin context.

Affected Systems

The vulnerability affects the Revokee Associados Amazon Plugin for WordPress, all releases up to and including version 0.8. No specific WordPress core versions are listed, but the plugin must be installed on any WordPress site to be impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1 and an EPSS score of less than 1 %, indicating a relatively low likelihood of exploitation under normal circumstances. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an admin user is logged in and falls for a social‑engineering prompt, making it easier for attackers to acquire an authenticated session. Although the risk is moderate, the exploitability is low, and only active, active administrators are the primary attack target.

Generated by OpenCVE AI on April 21, 2026 at 01:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Associados Amazon Plugin to the latest available version that implements proper nonce validation or remove the plugin if it is no longer needed
  • Apply the patch manually by editing the brzon_admin_panel() function to include a valid nonce check before processing any settings changes
  • Implement a web‑application firewall rule that blocks unauthorized POST requests to the plugin’s admin panel endpoint to mitigate the risk while awaiting a patch

Generated by OpenCVE AI on April 21, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Associados Amazon Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.8. This is due to missing or incorrect nonce validation on the brzon_admin_panel() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Associados Amazon Plugin <= 0.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:47.372Z

Reserved: 2025-10-28T14:31:31.184Z

Link: CVE-2025-12403

cve-icon Vulnrichment

Updated: 2025-11-04T14:58:36.683Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:12.773

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:00:12Z

Weaknesses