Description
Cross-Site Request Forgery (CSRF) vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through <= 2.3.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the ivobrett Apply with LinkedIn buttons plugin allows an attacker to inject malicious script that is stored by the application. Once the script is saved, any user who views the affected data will execute the attacker’s code in their browser.

Affected Systems

The vulnerability impacts WordPress sites running the Apply with LinkedIn buttons plugin from its initial release up through version 2.3. The affected product is the plugin itself, created by ivobrett.

Risk and Exploitability

The CVSS score of 7.1 indicates high potential for damage, but the EPSS score of less than 1 % suggests a low likelihood of exploitation at present, and the flaw is not catalogued in CISA’s KEV database. Based on the description, it is inferred that exploitation would require an attacker to successfully submit a forged request that stores a malicious payload; thereafter, any site visitor who loads the stored data would execute the injected script.

Generated by OpenCVE AI on May 2, 2026 at 06:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Apply with LinkedIn buttons plugin to the latest released version that contains the CSRF and stored XSS fix.
  • If an update is not immediately available, disable or remove the plugin to stop all new data being stored until a patch can be applied.
  • Manually review any data previously stored by the plugin for injected scripts and delete any threat content.

Generated by OpenCVE AI on May 2, 2026 at 06:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3516 Cross-Site Request Forgery (CSRF) vulnerability in Ivo Brett – ApplyMetrics Apply with LinkedIn buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ivo Brett – ApplyMetrics Apply with LinkedIn buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through 2.3. Cross-Site Request Forgery (CSRF) vulnerability in ivobrett Apply with LinkedIn buttons apply-with-linkedin-buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through <= 2.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ivo Brett – ApplyMetrics Apply with LinkedIn buttons allows Stored XSS.This issue affects Apply with LinkedIn buttons: from n/a through 2.3.
Title WordPress Apply with LinkedIn buttons plugin <= 2.3 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:43:59.174Z

Reserved: 2025-01-16T11:31:51.931Z

Link: CVE-2025-23898

cve-icon Vulnrichment

Updated: 2025-01-17T17:16:32.456Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:31.497

Modified: 2026-06-17T08:57:41.767

Link: CVE-2025-23898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)