Description
Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy adsense-privacy-policy allows Stored XSS.This issue affects AdSense Privacy Policy: from n/a through <= 1.1.1.
Published: 2025-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AdSense Privacy Policy plugin suffers from a Cross‑Site Request Forgery vulnerability that permits attackers to inject malicious scripts which are then persistently stored by the site. This stored XSS flaw can be used to steal site credentials, deface the website, or deliver malware to visitors, compromising confidentiality, integrity, and availability of the affected WordPress instance.

Affected Systems

WordPress sites running the hotvanrod AdSense Privacy Policy plugin version 1.1.1 or earlier are impacted. The plugin appears in the vendor name hotvanrod, with the affected version range listed through <=1.1.1.

Risk and Exploitability

The CVSS vector gives a score of 7.1, indicating high severity. The EPSS score is reported as <1%, which suggests exploitation likelihood is currently low. The vulnerability is not listed in the CISA KEV catalog. The flaw is a CSRF that can be triggered by an attacker via a forged request from a legitimate user’s browser; the success path requires the victim to be logged in with sufficient privileges to modify plugin settings, after which the injected script is stored and executed for all site visitors. Based on the provided data, the risk is high severity but the current exploitation probability remains low.

Generated by OpenCVE AI on May 1, 2026 at 04:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AdSense Privacy Policy plugin to a version newer than 1.1.1 if available; if no newer release exists, remove the plugin entirely.
  • Ensure that every state‑changing request in the WordPress installation is protected by a unique CSRF token, or use a standard WordPress security plugin that enforces CSRF protection.
  • Monitor the site for signs of injected scripts or unauthorized content, review server and access logs for anomalous activity, and block suspicious IP addresses if needed.

Generated by OpenCVE AI on May 1, 2026 at 04:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7943 Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy allows Stored XSS. This issue affects AdSense Privacy Policy: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy allows Stored XSS. This issue affects AdSense Privacy Policy: from n/a through 1.1.1. Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy adsense-privacy-policy allows Stored XSS.This issue affects AdSense Privacy Policy: from n/a through <= 1.1.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 25 Mar 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy allows Stored XSS. This issue affects AdSense Privacy Policy: from n/a through 1.1.1.
Title WordPress AdSense Privacy Policy plugin <= 1.1.1 - Cross Site Request Forgery (CSRF) to Stored XSS Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:54.427Z

Reserved: 2025-03-24T13:00:15.940Z

Link: CVE-2025-30578

cve-icon Vulnrichment

Updated: 2025-03-25T18:21:33.475Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:30.073

Modified: 2026-06-17T09:08:57.300

Link: CVE-2025-30578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)