Description
Cross-Site Request Forgery (CSRF) vulnerability in FuzzGuard Style Admin style-admin allows Stored XSS.This issue affects Style Admin: from n/a through <= 1.4.3.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in the Style Admin plugin allows an attacker to inject malicious JavaScript into stored data. By forging a request from a victim’s browser, the attacker can store user‑controlled scripts that will run in the context of any user who views the affected content, compromising confidentiality, integrity, and availability of the site.

Affected Systems

WordPress sites running the FuzzGuard Style Admin plugin version 1.4.3 or earlier are affected. Any installation where the plugin is present and enabled is vulnerable until an upgrade or removal.

Risk and Exploitability

The vulnerability scores moderately high with a CVSS of 7.1. The EPSS score of less than 1% indicates a very low probability of exploitation currently, and the issue is not listed in the CISA KEV catalog. Based on the description, the attacker needs to cause a victim's browser to send a forged request, such as by clicking a crafted link or being redirected to a malicious page; it is inferred that authentication is not required, but the CVE data does not explicitly confirm this. Once the request executes, an attacker can store arbitrary JavaScript that will run for all users viewing the affected content.

Generated by OpenCVE AI on May 2, 2026 at 06:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Style Admin to the latest version (≥1.4.4 or newer) as released by the vendor.
  • If an upgrade is not feasible, deactivate or uninstall the Style Admin plugin entirely to eliminate the attack surface.
  • Configure a web‑application firewall or WordPress security plugin to block or inspect POST requests to the plugin’s admin endpoints and require a valid CSRF nonce.

Generated by OpenCVE AI on May 2, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3433 Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Guy Style Admin allows Stored XSS.This issue affects Style Admin: from n/a through 1.4.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Guy Style Admin allows Stored XSS.This issue affects Style Admin: from n/a through 1.4.3. Cross-Site Request Forgery (CSRF) vulnerability in FuzzGuard Style Admin style-admin allows Stored XSS.This issue affects Style Admin: from n/a through <= 1.4.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Guy Style Admin allows Stored XSS.This issue affects Style Admin: from n/a through 1.4.3.
Title WordPress Style Admin Plugin <= 1.4.3 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:20.148Z

Reserved: 2025-01-16T11:30:21.147Z

Link: CVE-2025-23801

cve-icon Vulnrichment

Updated: 2025-01-17T17:18:25.908Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:21.190

Modified: 2026-04-23T15:24:32.450

Link: CVE-2025-23801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses