Description
The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page.
Published: 2025-11-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized plugin configuration changes and stored cross‑site scripting
Action: Apply Patch
AI Analysis

Impact

The Centangle‑Team WordPress plugin suffers from missing nonce validation that allows unauthenticated attackers to forge requests. This weakness is a Cross‑Site Request Forgery (CWE‑352) vulnerability. By tricking an administrator into clicking a crafted link, the attacker can alter the plugin’s settings without credentials. In addition, the plugin fails to sanitize and escape the cai_name_color parameter, enabling the injection of arbitrary JavaScript that is stored and executed every time a page that uses this setting is viewed. The combined effect is that an attacker can remote‑alter site configuration and persistently deliver malicious scripts to all visitors, potentially leading to defacement, credential theft, or session hijacking.

Affected Systems

All WordPress installations containing the Centangle‑Team plugin through version 1.0.0 are affected. The CNA vendor is Centangle; the product is Centangle‑Team. No later releases are listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.1 classifies this as moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation under current threat intelligence. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to lure an administrator into submitting a forged request, which is feasible in social‑engineering scenarios. Once the attack succeeds, the stored XSS component delivers scripts to all site visitors, presenting a persistent client‑side impact without the need for privileged access.

Generated by OpenCVE AI on April 22, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Centangle‑Team plugin to a version that removes the CSRF and XSS flaws (if version 1.0.1 or later is available).
  • If no patched release exists, uninstall the plugin entirely and delete any residual configuration files to eliminate the attack surface.
  • Implement additional protection on the WordPress administrative interface, such as restricting admin access to known IP addresses, enabling two‑factor authentication, and ensuring all request‑verification nonces are validated server side.

Generated by OpenCVE AI on April 22, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a user accesses an injected page.
Title Centangle Team Showcase <= 1.0.0 - Cross-Site Request Forgery To Plugin's Settings Modification And Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:15.254Z

Reserved: 2025-10-28T22:14:56.946Z

Link: CVE-2025-12456

cve-icon Vulnrichment

Updated: 2025-11-04T16:43:16.817Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:16:16.587

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses