Description
The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.
Published: 2025-11-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via CSRF
Action: Patch Now
AI Analysis

Impact

The Pagerank Tools plugin for WordPress contains a stored cross‑site scripting flaw that is triggered by a cross‑site request forgery attack. The flaw arises from the pr_save_settings() function lacking nonce validation and performing insufficient input sanitization. An attacker who can persuade an administrator to submit a forged request can inject malicious scripts that execute for every user who later visits the plugin’s settings page, compromising confidentiality and integrity of the site’s data. This weakness is identified as CWE‑352.

Affected Systems

All installations of the Pagerank Tools plugin from its initial release up to and including version 1.1.5 are affected. The vendor listed is mahype:Pagerank Tools.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate to high level of risk. The EPSS score of less than 1% suggests that so far the vulnerability has a very low exploitation probability, and it is not cataloged in the CISA KEV list. The likely attack vector requires an unauthenticated visitor to trick an administrator into clicking a malicious link or otherwise triggering a crafted HTTP request that bypasses the plugin’s missing CSRF protection. Because the vulnerability leads to stored XSS, it can affect any user who logs into the site after the injection. The vulnerability can be exploited remotely without requiring privileged credentials, making the threat surface broad for sites that use this plugin.

Generated by OpenCVE AI on April 22, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pagerank Tools plugin to the latest available version, which includes the missing nonce validation and proper input sanitization that removes this vulnerability.
  • If an upgrade cannot be performed immediately, limit access to the plugin’s settings page to authenticated administrators only and add an additional nonce check or IP‑whitelisting to guard against CSRF attempts.
  • Scan the settings page for any injected scripts and delete them, ensuring that no malicious code remains on the site after remediation.

Generated by OpenCVE AI on April 22, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mahype
Mahype pagerank Tools
Wordpress
Wordpress wordpress
Vendors & Products Mahype
Mahype pagerank Tools
Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.
Title Pagerank Tools <= 1.1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Mahype Pagerank Tools
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:24.988Z

Reserved: 2025-10-28T15:45:10.914Z

Link: CVE-2025-12416

cve-icon Vulnrichment

Updated: 2025-11-04T20:56:35.187Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:13.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:30:27Z

Weaknesses