Description
Cross-Site Request Forgery (CSRF) vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through <= 1.2.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that permits an attacker to inject malicious JavaScript into the plugin’s storage mechanism. When the plugin processes the forged request, the stored payload is later rendered without proper sanitization, resulting in a Stored Cross‑Site Scripting (XSS) vulnerability. This weakness can lead to session hijacking, defacement, or the execution of arbitrary code within the victim’s browser context.

Affected Systems

The affected systems are WordPress installations running the ‘Hack me if you can’ plugin version 1.2 or earlier, released by the vendor artanik. No further sub‑version data is supplied, but the risk applies to any installation using a vulnerable plugin instance.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate severity, and an EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation, with the vulnerability not currently listed in the CISA KEV catalog. The flaw is exploitable through a CSRF attack vector, whereby an attacker can force an authenticated or unauthenticated WordPress user to submit a crafted request that the plugin accepts, embedding malicious JavaScript. An attacker would need to lure a user to visit a malicious page that triggers the forged request, typically by embedding a hidden form or image.

Generated by OpenCVE AI on May 1, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ‘Hack me if you can’ plugin to a version newer than 1.2 or remove the plugin entirely.
  • If an immediate update is not possible, disable the plugin via the WordPress admin panel or delete its files to prevent further exploitation.
  • Implement a web application firewall or security plugin that validates CSRF tokens for all state‑changing requests and blocks stored XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3366 Cross-Site Request Forgery (CSRF) vulnerability in Artem Anikeev Hack me if you can allows Stored XSS.This issue affects Hack me if you can: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Artem Anikeev Hack me if you can allows Stored XSS.This issue affects Hack me if you can: from n/a through 1.2. Cross-Site Request Forgery (CSRF) vulnerability in artanik Hack me if you can hack-me-if-you-can allows Stored XSS.This issue affects Hack me if you can: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Artem Anikeev Hack me if you can allows Stored XSS.This issue affects Hack me if you can: from n/a through 1.2.
Title WordPress Hack me if you can plugin <= 1.2 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.756Z

Reserved: 2025-01-16T11:28:39.044Z

Link: CVE-2025-23713

cve-icon Vulnrichment

Updated: 2025-02-12T20:26:38.484Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:45.940

Modified: 2026-06-17T08:56:36.317

Link: CVE-2025-23713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:00:08Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)