Description
Cross-Site Request Forgery (CSRF) vulnerability in Tamer Ziady GDReseller gdreseller allows Stored XSS.This issue affects GDReseller: from n/a through <= 1.6.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GDReseller plugin for WordPress contains a cross‑site request forgery flaw that allows an attacker to submit malicious data that is stored within the website. Because the plugin lacks proper CSRF protection, a forged request can inject a payload that is later rendered as HTML or JavaScript in the context of the site. This stored XSS can execute arbitrary code in the browsers of any visitor, enabling session hijacking, defacement, or further exploitation. The weakness is classified as CWE‑352.

Affected Systems

GDReseller v1.6 and all earlier releases for WordPress. Any site that has installed the plugin without updating beyond 1.6 is vulnerable. The vulnerability is not tied to a specific base version other than the stated maximum.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity. The EPSS score of less than 1 % suggests a low probability of exploitation at the moment, and the issue is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is that an attacker crafts a forged request that an authenticated user unknowingly submits, allowing the attacker to install a script that is then executed by all visitors to the site. The impact is potentially widespread but requires user interaction to initiate the stored payload.

Generated by OpenCVE AI on May 1, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GDReseller plugin to a version that removes the vulnerability, or uninstall the plugin entirely if an update is not available.
  • Deploy a Web Application Firewall or use a WordPress security plugin that can detect and block stored XSS payloads.
  • Perform a security scan or manual review of the site to confirm that no malicious scripts are present in plugin settings or other content and that the vulnerability has been fully mitigated.

Generated by OpenCVE AI on May 1, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3252 Cross-Site Request Forgery (CSRF) vulnerability in Intuitive Design GDReseller allows Stored XSS.This issue affects GDReseller: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Intuitive Design GDReseller allows Stored XSS.This issue affects GDReseller: from n/a through 1.6. Cross-Site Request Forgery (CSRF) vulnerability in Tamer Ziady GDReseller gdreseller allows Stored XSS.This issue affects GDReseller: from n/a through <= 1.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Intuitive Design GDReseller allows Stored XSS.This issue affects GDReseller: from n/a through 1.6.
Title WordPress GDReseller plugin <= 1.6 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:13.328Z

Reserved: 2025-01-16T11:26:20.969Z

Link: CVE-2025-23567

cve-icon Vulnrichment

Updated: 2025-01-17T17:21:16.676Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:40.090

Modified: 2026-06-17T08:55:25.723

Link: CVE-2025-23567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:15:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)