Description
Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation client-documentation allows Stored XSS.This issue affects Simple Documentation: from n/a through <= 1.2.8.
Published: 2025-02-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that allows an attacker to store malicious JavaScript into the Simple Documentation plugin. An authenticated user who inadvertently submits a forged request will have the script injected and persisted, which will then execute whenever the documentation page is viewed. This yields Stored Cross‑Site Scripting. The underlying weakness is identified as CWE‑352, and the consequence can include session hijacking, defacement, or other malicious exploitation.

Affected Systems

The susceptible product is the WordPress plugin Simple Documentation, developed by mathieuhays, in all releases up through version 1.2.8. Any WordPress site currently running this plugin, regardless of WordPress core version, is affected.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate‑to‑high severity, while the EPSS score of < 1% reflects a very low probability of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with editing rights; an attacker would need to lure that user into clicking a crafted link that submits the malicious payload. No additional technical prerequisites beyond such privileged access are described, but the impact could affect the entire site if malicious scripts are executed in visitors’ browsers.

Generated by OpenCVE AI on May 1, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Documentation plugin to a version newer than 1.2.8 where the CSRF and XSS issue has been fixed.
  • If an update cannot be performed immediately, disable or uninstall the Simple Documentation plugin to prevent further exploitation until a patch is available.
  • Restrict editing permissions for the plugin to a minimal set of trusted administrators and review any existing documentation content for injected scripts.

Generated by OpenCVE AI on May 1, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4231 Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8. Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation client-documentation allows Stored XSS.This issue affects Simple Documentation: from n/a through <= 1.2.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.00019}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00031}

 epss

{'score': 0.00017}

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mathieuhays Simple Documentation allows Stored XSS. This issue affects Simple Documentation: from n/a through 1.2.8.
Title WordPress Simple Documentation plugin <= 1.2.8 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:38.992Z

Reserved: 2025-02-12T13:58:55.638Z

Link: CVE-2025-26578

cve-icon Vulnrichment

Updated: 2025-02-13T14:33:22.342Z

cve-icon NVD

Status : Deferred

Published: 2025-02-13T14:16:23.990

Modified: 2026-06-17T09:02:03.377

Link: CVE-2025-26578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)