Description
Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot virtual-bot allows Stored XSS.This issue affects Virtual Bot: from n/a through <= 1.0.0.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Virtual Bot WordPress plugin up to version 1.0.0 contains a CSRF flaw that allows an attacker to inject malicious JavaScript which is stored and later executed whenever a page is viewed. The vulnerability is a classic Stored Cross‑Site Scripting, identified by CWE‑352. If an attacker successfully submits the payload through a CSRF request, the script will run under the context of any authenticated or even unauthenticated user who views the affected content, potentially leaking cookies, hijacking sessions, or defacing the site.

Affected Systems

All installations of Ofek Nakar Virtual Bot plugin for WordPress with a version of 1.0.0 or earlier are affected. The vulnerability applies to every release from the initial version up through and including 1.0.0.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at the present time. The flaw is not listed in CISA KEV. Likely exploitation requires an attacker to craft a CSRF request that an authenticated user will unknowingly accept; once executed, the stored script will affect all users who view the compromised page.

Generated by OpenCVE AI on May 1, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Virtual Bot plugin to a version later than 1.0.0.
  • If no newer release is available, disable or uninstall the plugin until a fix is released.
  • Ensure all WordPress forms include proper anti‑CSRF tokens and verify after the update that no stored scripts remain on webpages.

Generated by OpenCVE AI on May 1, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2816 Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot allows Stored XSS.This issue affects Virtual Bot: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot allows Stored XSS.This issue affects Virtual Bot: from n/a through 1.0.0. Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot virtual-bot allows Stored XSS.This issue affects Virtual Bot: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ofek Nakar Virtual Bot allows Stored XSS.This issue affects Virtual Bot: from n/a through 1.0.0.
Title WordPress Virtual Bot Plugin <= 1.0.0 - CSRF Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.199Z

Reserved: 2025-01-07T10:23:07.226Z

Link: CVE-2025-22538

cve-icon Vulnrichment

Updated: 2025-01-07T17:17:44.705Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:49.460

Modified: 2026-06-17T08:48:06.103

Link: CVE-2025-22538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)