Description
Cross-Site Request Forgery (CSRF) vulnerability in zetxek WP Lyrics wplyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through <= 0.4.1.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from a missing CSRF token when creating lyric entries, allowing an attacker to insert arbitrary JavaScript that is persistently stored within the WordPress database. Because the script runs in the context of any visitor to the lyrics page, it can steal session cookies, hijack user accounts, or deface the site. The weakness is classified as CWE‑352, a Cross‑Site Request Forgery that leads to Stored XSS.\n

Affected Systems

The issue affects the WP Lyrics plugin developed by zetxek, versions starting from the earliest available release up through 0.4.1. All installations of the plugin before version 0.4.2 are potentially vulnerable.\n

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity, and the EPSS value of less than 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would send a crafted HTTP request that bypasses CSRF protection to insert malicious content; once stored, every user who views the affected page will execute the injected script. Because no authentication is required to perform the action, any visitor can trigger the attack by visiting a specially crafted URL.

Generated by OpenCVE AI on May 1, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Lyrics plugin to a version newer than 0.4.1
  • Disable or remove the WP Lyrics plugin until a patched version is available
  • Manually delete or sanitize any lyric content that may contain malicious script before allowing it to be displayed

Generated by OpenCVE AI on May 1, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3234 Cross-Site Request Forgery (CSRF) vulnerability in Adrian Moreno WP Lyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through 0.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Adrian Moreno WP Lyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through 0.4.1. Cross-Site Request Forgery (CSRF) vulnerability in zetxek WP Lyrics wplyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through <= 0.4.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Adrian Moreno WP Lyrics allows Stored XSS.This issue affects WP Lyrics: from n/a through 0.4.1.
Title WordPress WP Lyrics plugin <= 0.4.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:12.291Z

Reserved: 2025-01-16T11:25:56.884Z

Link: CVE-2025-23533

cve-icon Vulnrichment

Updated: 2025-01-17T17:21:52.744Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:38.930

Modified: 2026-06-17T08:55:09.223

Link: CVE-2025-23533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:15:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)