Description
Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet quote-tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through <= 0.7.
Published: 2025-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that allows an attacker to submit data to the Quote Tweet plugin that is stored and later rendered in the site’s pages. The stored content can contain malicious scripts, which will execute in the context of the administrator’s browser session, potentially exposing sensitive cookies, credentials, or performing actions on behalf of the admin.

Affected Systems

The WordPress Quote Tweet plugin by bozdoz, versions up to and including 0.7, is affected. All installations that have this plugin active are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates substantial impact when exploited. With an EPSS score of less than 1% and no listing in the CISA KEV catalog, the likelihood of widespread exploitation is currently low, but the risk exists if an attacker can trick an admin user into performing a forged request. An attacker would need user interaction, such as a malicious link or form, to insert the XSS payload and then rely on a later page view to trigger the script.

Generated by OpenCVE AI on May 1, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quote Tweet plugin to a version newer than 0.7 that addresses the CSRF and XSS issues.
  • If an upgrade is not immediately possible, deactivate or uninstall the Quote Tweet plugin to remove the vulnerability vector.
  • Implement CSRF token validation for all form submissions in the plugin, or restrict the plugin’s functionality to administrator roles only.

Generated by OpenCVE AI on May 1, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2864 Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through 0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through 0.7. Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet quote-tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through <= 0.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in bozdoz Quote Tweet allows Stored XSS.This issue affects Quote Tweet: from n/a through 0.7.
Title WordPress Quote Tweet plugin <= 0.7 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:02.591Z

Reserved: 2025-01-07T10:23:51.454Z

Link: CVE-2025-22589

cve-icon Vulnrichment

Updated: 2025-01-07T16:53:42.511Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:55.053

Modified: 2026-06-17T08:48:30.657

Link: CVE-2025-22589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)