Description
The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting.
Published: 2025-12-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Cross‑Site Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The WP Hallo Welt plugin for WordPress contains a Cross‑Site Request Forgery vulnerability that allows unauthenticated attackers to forge requests to the ‘hallo_welt_seite’ function. Because nonce validation is missing or incorrect, an attacker can trick a site administrator into unknowingly submitting a crafted request that changes plugin settings and injects arbitrary JavaScript. This results in stored Cross‑Site Scripting that can execute in the browsers of any user who visits affected pages, compromising confidentiality, integrity, and availability of the site content.

Affected Systems

WordPress installations running the WP Hallo Welt plugin version 1.4 or earlier are affected. The vulnerability exists in all builds through tag 1.4 inclusive, and any site deploying the plugin at that version or lower is vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of < 1% suggests that exploitation is currently unlikely, though the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a CSRF request where the attacker lures a logged‑in administrator to click a malicious link or submit a forged form. Given the missing nonce and unsanitized input, success would result in persistent XSS, allowing attackers to steal session cookies, deface websites, or spread malware to site visitors.

Generated by OpenCVE AI on April 21, 2026 at 00:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Hallo Welt to the latest stable release
  • If an immediate update is not possible, uninstall or disable the plugin entirely to prevent malicious configuration changes
  • Configure a web application firewall or enforce CSRF tokens on admin endpoints to mitigate future risk

Generated by OpenCVE AI on April 21, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Dec 2025 03:30:00 +0000

Type Values Removed Values Added
Description The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to the insufficient input sanitization and output escaping, this can lead to Stored Cross-Site Scripting.
Title WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:31.845Z

Reserved: 2025-11-18T17:08:35.108Z

Link: CVE-2025-13365

cve-icon Vulnrichment

Updated: 2025-12-22T20:28:37.108Z

cve-icon NVD

Status : Deferred

Published: 2025-12-20T04:16:07.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses