CVE-2025-25153 - Vulnerability Details

- WordPress Simple Auto Tag plugin <= 1.1 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag simple-auto-tag allows Stored XSS.This issue affects Simple Auto Tag: from n/a through <= 1.1.

Published: 2025-02-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A CSRF flaw in the Simple Auto Tag plugin allows an attacker to inject a malicious script into stored data, resulting in stored XSS when the data is displayed on the site. The vulnerability is classified as CWE‑352 based on the provided description. No details are given about what input triggers the flaw or what context the stored data is rendered, so the exact scope of impact remains unspecified beyond the potential for arbitrary script execution on front‑end pages.

Affected Systems

The Simple Auto Tag plugin by djjmz, enabled on WordPress installations, is impacted for all releases up to and including version 1.1.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of active exploitation at this time, and the CVE is not listed in CISA’s KEV catalog. Exploitation would involve a CSRF attack that submits forged data to the plugin; based on standard CSRF behavior, a logged‑in user would need to be tricked into visiting a specialized link. However, the CVE description does not explicitly state authentication requirements or the request details, so these conditions are inferred from typical CSRF patterns rather than confirmed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

djjmz

Simple Auto Tag

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Simple Auto Tag plugin to a version newer than 1.1 to eliminate the CSRF flaw.
If an upgrade is not immediately available, consider disabling or uninstalling the plugin to prevent the stored XSS risk.
For sites that must continue using the plugin, ensure that any form submitted to the plugin includes a valid CSRF token and that all user‑supplied content is properly escaped before rendering.

Generated by OpenCVE AI on May 2, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4062	Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag allows Stored XSS. This issue affects Simple Auto Tag: from n/a through 1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/simple-auto-tag/vulnerability/wordpress-simple-auto-tag-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag allows Stored XSS. This issue affects Simple Auto Tag: from n/a through 1.1.	Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag simple-auto-tag allows Stored XSS.This issue affects Simple Auto Tag: from n/a through <= 1.1.
References	https://patchstack.com/database/wordpress/plugin/simple-auto-tag/vulnerability/wordpress-simple-auto-tag-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/simple-auto-tag/vulnerability/wordpress-simple-auto-tag-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 07 Feb 2025 10:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in djjmz Simple Auto Tag allows Stored XSS. This issue affects Simple Auto Tag: from n/a through 1.1.
Title		WordPress Simple Auto Tag plugin <= 1.1 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/simple-auto-tag/vulnerability/wordpress-simple-auto-tag-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-02-07T10:11:56.354Z

Updated: 2026-04-28T16:11:36.919Z

Reserved: 2025-02-03T13:35:19.028Z

Link: CVE-2025-25153

Vulnrichment

Updated: 2025-02-12T20:44:55.274Z

NVD

Status : Deferred

Published: 2025-02-07T10:15:20.953

Modified: 2026-06-17T09:00:23.147

Link: CVE-2025-25153

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object