Description
Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description global-meta-keyword-and-description allows Stored XSS.This issue affects Global Meta Keyword & Description: from n/a through <= 2.3.
Published: 2025-02-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to perform stored Cross‑Site Scripting against the WordPress Global Meta Keyword & Description plugin. By manipulating a fault‑free request that an authenticated user submits, the attacker can embed malicious script that is saved in the plugin’s configuration. When other site visitors load content that pulls values from this plugin, the script executes in their browsers, potentially stealing session cookies, defacing pages, or redirecting users to phishing sites.

Affected Systems

This issue affects WordPress installations running the Global Meta Keyword & Description plugin version 2.3 and earlier. The problem is present in all WordPress sites that have the plugin installed and have not applied a newer release.

Risk and Exploitability

The CVSS score is 7.1, indicating a moderate‑to‑high impact when the flaw is exercised. The EPSS value of <1% suggests a very low probability of exploitation under current conditions, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a web‑based CSRF attack that requires an authenticated user, typically an administrator, to submit a forged request. If the attacker can obtain or hijack an admin session, the stored XSS payload can be injected and then executed for all site visitors.

Generated by OpenCVE AI on May 1, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Global Meta Keyword & Description plugin to the latest version (≥ 2.4) to remove the CSRF and stored XSS flaw.
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress site to eliminate the attack surface.
  • For sites that must keep the plugin until upgrading, implement or ensure WordPress’s built‑in nonce protection for all form actions and limit the plugin’s access to administrators only.

Generated by OpenCVE AI on May 1, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4217 Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3. Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description global-meta-keyword-and-description allows Stored XSS.This issue affects Global Meta Keyword & Description: from n/a through <= 2.3.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.00019}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00017}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Kunal Shivale Global Meta Keyword & Description allows Stored XSS. This issue affects Global Meta Keyword & Description: from n/a through 2.3.
Title WordPress Global Meta Keyword & Description plugin <= 2.3 - CSRF to Cross-Site Scripting vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:38.353Z

Reserved: 2025-02-12T13:58:25.801Z

Link: CVE-2025-26550

cve-icon Vulnrichment

Updated: 2025-02-13T14:33:51.024Z

cve-icon NVD

Status : Deferred

Published: 2025-02-13T14:16:20.993

Modified: 2026-04-23T15:25:47.347

Link: CVE-2025-26550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:00:11Z

Weaknesses