Description
Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta facebook-secret-meta allows Reflected XSS.This issue affects Secret Meta: from n/a through <= 1.2.1.
Published: 2025-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to trigger a CSRF request that results in reflected XSS, enabling malicious script injection into pages viewed by unsuspecting users, potentially compromising credentials or stealing session data.

Affected Systems

The affected system is the Secret Meta plugin by WPDeveloper, used within WordPress installations, with all versions up to and including 1.2.1.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1 and an EPSS score of less than 1 %, indicating rare exploitation prospects. Although it is not listed in the CISA KEV catalog, the fact that it is a CSRF‑to‑XSS flaw means an attacker can simply craft a malicious link to bypass the CSRF protection and inject arbitrary scripts into the user's browser session. The lack of an exploit listing suggests the risk is moderate, but the high severity warrants swift remediation.

Generated by OpenCVE AI on May 1, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secret Meta plugin to the latest version that addresses the CSRF‑to‑XSS flaw.
  • Implement CSRF protection controls such as nonces or request validation to block unauthorized state‑changing requests.
  • Apply output sanitization and enforce a strong content security policy to mitigate reflected XSS.

Generated by OpenCVE AI on May 1, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8502 Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta allows Reflected XSS.This issue affects Secret Meta: from n/a through 1.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta allows Reflected XSS.This issue affects Secret Meta: from n/a through 1.2.1. Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta facebook-secret-meta allows Reflected XSS.This issue affects Secret Meta: from n/a through <= 1.2.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta allows Reflected XSS.This issue affects Secret Meta: from n/a through 1.2.1.
Title WordPress Secret Meta plugin <= 1.2.1 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.909Z

Reserved: 2025-02-03T13:34:11.344Z

Link: CVE-2025-25086

cve-icon Vulnrichment

Updated: 2025-03-27T15:44:47.395Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T14:15:49.737

Modified: 2026-06-17T09:00:16.370

Link: CVE-2025-25086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:00:12Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)