Description
Cross-Site Request Forgery (CSRF) vulnerability in Mahbubur Rahman Post Meta post-meta allows Reflected XSS.This issue affects Post Meta: from n/a through <= 1.0.9.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Post Meta plugin contains a reflected XSS flaw that is triggered by a Cross‑Site Request Forgery (CWE‑352) vulnerability. An attacker can craft a request that, without the victim’s authenticated session, injects malicious JavaScript into the plugin’s output. The unsanitized input is echoed back in the response, enabling attackers to run scripts in the victim’s browser. This can lead to session hijacking, credential theft, or defacement of the site’s content, compromising the confidentiality and integrity of the affected WordPress installation.

Affected Systems

WordPress sites running the Mahbubur Rahman Post Meta plugin version 1.0.9 or earlier are affected. No other vendor or product versions are mentioned.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, yet the EPSS score is below 1%, suggesting that widespread exploitation is unlikely at present. The vulnerability is publicly listed but not yet part of the CISA KEV catalog. An attacker can exploit it by sending a victim to a crafted URL or form that includes malicious payloads rendered by the plugin; the flaw can be triggered via a CSRF request that does not require the victim to be authenticated, which increases its potential impact.

Generated by OpenCVE AI on May 2, 2026 at 05:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post Meta plugin to a version newer than 1.0.9 to eliminate the reflected XSS bug.
  • If an immediate update is unavailable, restrict the plugin’s input fields by enforcing strict content type validation and escaping any user‑supplied data before rendering.
  • Deploy a robust Content Security Policy that limits the execution of inline scripts and disallows unsafe JavaScript sources to reduce the impact of any residual XSS vectors.

Generated by OpenCVE AI on May 2, 2026 at 05:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3759 Cross-Site Request Forgery (CSRF) vulnerability in Mahbubur Rahman Post Meta allows Reflected XSS. This issue affects Post Meta: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Mahbubur Rahman Post Meta allows Reflected XSS. This issue affects Post Meta: from n/a through 1.0.9. Cross-Site Request Forgery (CSRF) vulnerability in Mahbubur Rahman Post Meta post-meta allows Reflected XSS.This issue affects Post Meta: from n/a through <= 1.0.9.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00019}

 epss

{'score': 0.00023}

Mon, 10 Feb 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Mahbubur Rahman Post Meta allows Reflected XSS. This issue affects Post Meta: from n/a through 1.0.9.
Title WordPress Post Meta plugin <= 1.0.9 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:24:56.880Z

Reserved: 2025-01-23T14:50:18.328Z

Link: CVE-2025-24549

cve-icon Vulnrichment

Updated: 2025-01-31T15:36:16.925Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:10.027

Modified: 2026-06-17T08:59:12.700

Link: CVE-2025-24549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T05:15:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)