Description
Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup admin-cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through <= 1.0.2.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the WordPress Admin Cleanup plugin allows an attacker to perform a cross‑site request forgery that injects a persistent script into the site’s content. Once stored, the script executes in the browsers of any user who views the affected content, potentially compromising account sessions, defacing the site, or delivering malicious payloads.

Affected Systems

Users running the Matt Gibbs Admin Cleanup plugin version 1.0.2 or earlier are affected. No other products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while an EPSS score of less than 1% shows a low likelihood of widespread exploitation at present. The issue is not listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted request that triggers the CSRF in an authenticated admin session, making attackers who can lure an administrator to a malicious link capable of injecting the stored script.

Generated by OpenCVE AI on May 1, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Admin Cleanup plugin to a version newer than 1.0.2
  • If an immediate update is not possible, remove or deactivate the Admin Cleanup plugin to prevent the vulnerability from being usable
  • Restrict administrative access to trusted users and monitor for unexpected changes to site content

Generated by OpenCVE AI on May 1, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3461 Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through 1.0.2. Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup admin-cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Matt Gibbs Admin Cleanup allows Stored XSS.This issue affects Admin Cleanup: from n/a through 1.0.2.
Title WordPress Admin Cleanup plugin <= 1.0.2 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:50:38.171Z

Reserved: 2025-01-16T11:30:58.638Z

Link: CVE-2025-23832

cve-icon Vulnrichment

Updated: 2025-01-17T17:50:32.088Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:24.510

Modified: 2026-06-17T08:57:35.167

Link: CVE-2025-23832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)