CVE-2025-25156 - Vulnerability Details

- WordPress Quote Comments plugin <= 3.0.0 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments quote-comments allows Stored XSS.This issue affects Quote Comments: from n/a through <= 3.0.0.

Published: 2025-02-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that enables an attacker to inject malicious JavaScript into stored comments made through the Quote Comments plugin. By forging a request that a victim authorises, the attacker can embed a script that will execute when any user views the comment, leading to session hijacking, data theft, or defacement. The flaw is directly related to CWE‑352, which identifies the lack of proper CSRF protection and the resulting stored XSS effect.

Affected Systems

The defect affects the Quote Comments plugin for WordPress authored by Stanko Metodiev. Versions from the earliest release through 3.0.0 are vulnerable, with 3.0.1 and later addressing the issue.

Risk and Exploitability

The CVSS base score of 7.1 places this as a high‑severity item, while the EPSS score of less than 1% indicates that exploitation is currently uncommon but non‑negligible. The vulnerability is not listed in CISA’s KEV catalog. Likely users must be authenticated to post a comment, suggesting that the attack vector involves a logged‑in administrative or content‑editor user being tricked or compromised to submit a forged request. The attacker can then place malicious payloads that persist across sessions and affect any visitor who views the compromised content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Stanko Metodiev

Quote Comments

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Quote Comments plugin to version 3.0.1 or later
If an upgrade is not immediately possible, disable or remove the Quote Comments plugin from the WordPress installation
Ensure that WordPress is configured to require CSRF tokens for all state‑changing requests and that users are trained to recognise suspicious links

Generated by OpenCVE AI on May 1, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4065	Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments allows Stored XSS. This issue affects Quote Comments: from n/a through 2.2.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/quote-comments/vulnerability/wordpress-quote-comments-plugin-2-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments allows Stored XSS. This issue affects Quote Comments: from n/a through 2.2.1.	Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments quote-comments allows Stored XSS.This issue affects Quote Comments: from n/a through <= 3.0.0.
Title	WordPress Quote Comments plugin <= 2.2.1 - CSRF to Stored XSS vulnerability	WordPress Quote Comments plugin <= 3.0.0 - CSRF to Stored XSS vulnerability
References	https://patchstack.com/database/wordpress/plugin/quote-comments/vulnerability/wordpress-quote-comments-plugin-2-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/quote-comments/vulnerability/wordpress-quote-comments-plugin-2-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 12 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 07 Feb 2025 10:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Stanko Metodiev Quote Comments allows Stored XSS. This issue affects Quote Comments: from n/a through 2.2.1.
Title		WordPress Quote Comments plugin <= 2.2.1 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/quote-comments/vulnerability/wordpress-quote-comments-plugin-2-2-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-02-07T10:11:56.970Z

Updated: 2026-04-28T16:11:37.140Z

Reserved: 2025-02-03T13:35:19.029Z

Link: CVE-2025-25156

Vulnrichment

Updated: 2025-02-12T20:44:31.463Z

NVD

Status : Deferred

Published: 2025-02-07T10:15:21.457

Modified: 2026-04-23T15:25:42.943

Link: CVE-2025-25156

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T17:00:11Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object