Description
Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0.
Published: 2025-03-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability in the WP jQuery Persian Datepicker plugin allows an attacker to submit a crafted request that stores malicious JavaScript. When a user loads a page that retrieves the stored configuration, the malicious script executes with the site’s privileges, enabling the attacker to capture data or modify the page content. The weakness is identified as CWE‑352, indicating request validation is missing before data persistence.

Affected Systems

The flaw affects the WordPress plugin WP jQuery Persian Datepicker distributed by bhzad. All releases through version 0.1.0 are impacted; no fix has been released for earlier versions. WordPress sites that have the plugin installed and have not upgraded are vulnerable.

Risk and Exploitability

The CVSS base score of 7.1 places the flaw in the high severity range. An EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a forged request that stores malicious code; the attack vector likely involves a logged‑in user or administrator submitting the request, after which any site visitor may load the stored payload. The analysis infers that authentication may be required due to the nature of WordPress plugin settings, but this requirement is not explicitly stated in the CVE description.

Generated by OpenCVE AI on May 2, 2026 at 08:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deactivate or uninstall the WP jQuery Persian Datepicker plugin to eliminate the stored XSS risk.
  • If the plugin must remain, review all stored configuration values for embedded script and remove any that are not plain text.
  • Implement CSRF protection on the plugin’s data submission endpoints, such as including a nonce or token in the request.
  • Apply a content security policy that restricts script execution to trusted sources, mitigating the impact of any remaining stored XSS.
  • Review site configuration after any user interaction and monitor logs for anomalous script injections.

Generated by OpenCVE AI on May 2, 2026 at 08:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7831 Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker allows Stored XSS. This issue affects WP jQuery Persian Datepicker: from n/a through 0.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker allows Stored XSS. This issue affects WP jQuery Persian Datepicker: from n/a through 0.1.0. Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker wpjqp-datepicker allows Stored XSS.This issue affects WP jQuery Persian Datepicker: from n/a through <= 0.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0002}

 epss

{'score': 0.00028}

Wed, 19 Mar 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Bhzad
Bhzad wp Jquery Persian Datepicker
CPEs cpe:2.3:a:bhzad:wp_jquery_persian_datepicker:*:*:*:*:*:wordpress:*:*
Vendors & Products Bhzad
Bhzad wp Jquery Persian Datepicker

Wed, 12 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in bhzad WP jQuery Persian Datepicker allows Stored XSS. This issue affects WP jQuery Persian Datepicker: from n/a through 0.1.0.
Title WordPress WP jQuery Persian Datepicker plugin <= 0.1.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Bhzad Wp Jquery Persian Datepicker
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.194Z

Reserved: 2025-03-11T08:08:42.174Z

Link: CVE-2025-28861

cve-icon Vulnrichment

Updated: 2025-03-12T15:03:29.426Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:43.337

Modified: 2026-04-23T15:26:27.490

Link: CVE-2025-28861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses