Description
Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
Published: 2025-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft a forged request that exploits a cross‑site request forgery flaw, leading to the injection of malicious JavaScript that is stored within the WordPress site. Once the script is stored it will execute whenever a page containing the compromised content is viewed by any user. The weakness is identified as CWE‑352, a classic CSRF defect capable of producing persistent XSS. The description does not provide details beyond that the stored script can execute, so the exact downstream effects are limited to what a typical XSS payload could achieve.

Affected Systems

Black and White:BookPress – For Book Authors plugin for WordPress is affected for all releases up to and including version 1.2.7. Versions beyond 1.2.7 are not listed as vulnerable and are presumably not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score of less than 1% suggests that the probability of exploitation is very low at present, and the vulnerability is not disclosed in the CISA KEV catalog. The likely attack vector requires a forged request, and it is inferred that an authenticated user with sufficient privileges would need to initiate the attack, but the exact requirements are not detailed in the advisory.

Generated by OpenCVE AI on May 2, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BookPress – For Book Authors plugin to version 1.2.8 or newer to remove the CSRF and XSS flaw.
  • If an upgrade is not possible, deactivate or uninstall the plugin to eliminate the attack surface.
  • Implement CSRF token validation for any privileged forms and restrict script‑injection capabilities to users with the highest level of trust.

Generated by OpenCVE AI on May 2, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4071 Cross-Site Request Forgery (CSRF) vulnerability in blackandwhitedigital BookPress – For Book Authors allows Cross-Site Scripting (XSS). This issue affects BookPress – For Book Authors: from n/a through 1.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in blackandwhitedigital BookPress – For Book Authors allows Cross-Site Scripting (XSS). This issue affects BookPress – For Book Authors: from n/a through 1.2.7. Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Feb 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Blackandwhitedigital
Blackandwhitedigital bookpress
CPEs cpe:2.3:a:blackandwhitedigital:bookpress:*:*:*:*:*:wordpress:*:*
Vendors & Products Blackandwhitedigital
Blackandwhitedigital bookpress

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in blackandwhitedigital BookPress – For Book Authors allows Cross-Site Scripting (XSS). This issue affects BookPress – For Book Authors: from n/a through 1.2.7.
Title WordPress BookPress – For Book Authors Plugin <= 1.2.7 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Blackandwhitedigital Bookpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:37.552Z

Reserved: 2025-02-03T13:35:31.280Z

Link: CVE-2025-25168

cve-icon Vulnrichment

Updated: 2025-02-12T20:44:07.658Z

cve-icon NVD

Status : Modified

Published: 2025-02-07T10:15:22.600

Modified: 2026-04-23T15:25:44.440

Link: CVE-2025-25168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses