Description
Cross-Site Request Forgery (CSRF) vulnerability in koter84 wpSOL wpsol allows Stored XSS.This issue affects wpSOL: from n/a through <= 1.2.0.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the wpSOL WordPress plugin allows an attacker to submit a request that the plugin accepts and stores malicious script. The stored script is later displayed as part of the site’s content, creating a Stored XSS condition for users who view that content.

Affected Systems

WordPress sites using the wpSOL plugin from vendor koter84 with any version up to and including 1.2.0 are affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high potential for serious impact and the EPSS score is less than 1 %, showing a low probability of exploitation at present; the vulnerability is not listed in CISA KEV. The attack vector is a CSRF request; based on the description it is inferred that the plugin does not fully validate the origin of incoming requests, allowing the attacker’s crafted request to be accepted and the malicious content stored.

Generated by OpenCVE AI on May 2, 2026 at 11:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wpSOL plugin to the latest available version from the official WordPress plugin repository.
  • If an upgrade cannot be applied immediately, limit access to the plugin’s administrative pages to users who possess the Administrator role and remove or sanitize any stored content that may contain script tags.
  • Add CSRF validation (e.g., a token or HTTP referer check) before accepting data submission requests into the plugin.
  • Ensure that any content rendered by the plugin is properly sanitized to strip or encode executable script elements.
  • Deploy a web application firewall rule set that blocks known XSS payloads when the wpSOL data submission endpoints are hit from untrusted origins.

Generated by OpenCVE AI on May 2, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2742 Cross-Site Request Forgery (CSRF) vulnerability in Dennis Koot wpSOL allows Stored XSS.This issue affects wpSOL: from n/a through 1.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dennis Koot wpSOL allows Stored XSS.This issue affects wpSOL: from n/a through 1.2.0. Cross-Site Request Forgery (CSRF) vulnerability in koter84 wpSOL wpsol allows Stored XSS.This issue affects wpSOL: from n/a through <= 1.2.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dennis Koot wpSOL allows Stored XSS.This issue affects wpSOL: from n/a through 1.2.0.
Title WordPress wpSOL plugin <= 1.2.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:35:59.995Z

Reserved: 2025-01-03T13:16:41.393Z

Link: CVE-2025-22343

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:25.685Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:17.743

Modified: 2026-06-17T08:46:37.873

Link: CVE-2025-22343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)