Description
The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-11-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via CSRF
Action: Immediate Patch
AI Analysis

Impact

The WP‑Walla plugin does not validate nonces on its settings page, allowing an unauthenticated user to submit a forged request that an administrator may unknowingly execute. Input supplied in that request is saved without proper sanitization, and when the plugin later outputs the stored setting, the embedded script runs in visitors’ browsers. This stored cross‑site scripting, enabled by a CSRF weakness (CWE‑352), gives an attacker a powerful vector to inject arbitrary code into the site and potentially manipulate or deface content for all users.

Affected Systems

WordPress websites that have the WP‑Walla plugin from vendor baronen, in versions 0.5.3.5 and all earlier releases.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, and the EPSS score of less than 1% shows that actual exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to lure an administrator into clicking a crafted link or submitting a form that triggers the settings update, after which the injected script becomes part of the page content for all visitors.

Generated by OpenCVE AI on April 21, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑Walla to the latest version that includes nonce verification and proper output sanitization.
  • If an upgrade is not immediately possible, remove the WP‑Walla plugin from the site to eliminate the attack surface.
  • Monitor administrative activity and user sessions for suspicious requests that could indicate a successful CSRF attempt.

Generated by OpenCVE AI on April 21, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:15.087Z

Reserved: 2025-10-31T22:34:41.036Z

Link: CVE-2025-12589

cve-icon Vulnrichment

Updated: 2025-11-12T15:58:44.637Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:47.230

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses