Description
Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information easy-amazon-product-information allows Stored XSS.This issue affects Easy Amazon Product Information: from n/a through <= 4.0.1.
Published: 2025-02-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in the Easy Amazon Product Information plugin allows an attacker to trick a legitimate user into submitting a crafted request that stores malicious script code in the database. Once stored, the payload is executed in the browsers of any visitor to the site, resulting in a stored cross‑site scripting vulnerability.

Affected Systems

The vulnerability affects all installations of the jensmueller Easy Amazon Product Information plugin version 4.0.1 or earlier.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1 % suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, requiring an authenticated user to submit the malicious request through the vulnerable form, after which the script is executed for all site visitors.

Generated by OpenCVE AI on May 1, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Amazon Product Information to version 4.0.2 or later.
  • If an upgrade is not immediately possible, restrict the affected form to non‑authenticated users or implement a nonce to prevent CSRF.
  • Continuously monitor the site’s input logs for anomalous requests and block IPs that attempt to submit the vulnerable requests.

Generated by OpenCVE AI on May 1, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4224 Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1. Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information easy-amazon-product-information allows Stored XSS.This issue affects Easy Amazon Product Information: from n/a through <= 4.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.00019}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00017}

Thu, 13 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in jensmueller Easy Amazon Product Information allows Stored XSS. This issue affects Easy Amazon Product Information: from n/a through 4.0.1.
Title WordPress Easy Amazon Product Information plugin <= 4.0.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:31:58.250Z

Reserved: 2025-02-12T13:58:47.896Z

Link: CVE-2025-26568

cve-icon Vulnrichment

Updated: 2025-02-13T14:06:37.269Z

cve-icon NVD

Status : Deferred

Published: 2025-02-13T14:16:22.910

Modified: 2026-06-17T09:02:02.397

Link: CVE-2025-26568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)