Description
Cross-Site Request Forgery (CSRF) vulnerability in cybio GravatarLocalCache gravatarlocalcache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through <= 1.1.2.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw in the GravatarLocalCache plugin. By forging a request, an authenticated user can modify stored content that the plugin saves, which may include arbitrary JavaScript. When other visitors display that stored content, the injected script is executed in their browsers. The CVE data does not specify cookie theft or defacement, but the stored script can run client‑side code.

Affected Systems

WordPress sites running cybio GravatarLocalCache plugin version 1.1.2 or earlier are affected. All installations of the plugin within this range are susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score of <1% implies a low probability of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is a malicious link that causes the CSRF request from an authenticated user’s browser, resulting in the attacker’s script being stored and later executed for other site visitors.

Generated by OpenCVE AI on May 2, 2026 at 06:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GravatarLocalCache to a version newer than 1.1.2 once the vendor releases an update.
  • If an update is not yet available, remove or disable the plugin to prevent the CSRF flaw from being exploitable.
  • Implement CSRF token validation on any forms that modify stored content, and consider using SameSite cookie attributes to reduce CSRF susceptibility.

Generated by OpenCVE AI on May 2, 2026 at 06:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3519 Cross-Site Request Forgery (CSRF) vulnerability in Oliver Schaal GravatarLocalCache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through 1.1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Oliver Schaal GravatarLocalCache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through 1.1.2. Cross-Site Request Forgery (CSRF) vulnerability in cybio GravatarLocalCache gravatarlocalcache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through <= 1.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Oliver Schaal GravatarLocalCache allows Cross Site Request Forgery.This issue affects GravatarLocalCache: from n/a through 1.1.2.
Title WordPress GravatarLocalCache plugin <= 1.1.2 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:46:26.907Z

Reserved: 2025-01-16T11:31:51.931Z

Link: CVE-2025-23901

cve-icon Vulnrichment

Updated: 2025-01-17T17:16:05.304Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:32.027

Modified: 2026-06-17T08:57:42.063

Link: CVE-2025-23901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)