CVE-2025-30587 - Vulnerability Details

- WordPress LH OGP Meta plugin <= 1.73 - CSRF to Stored XSS Vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta lh-ogp-meta-tags allows Stored XSS.This issue affects LH OGP Meta: from n/a through <= 1.73.

Published: 2025-03-24

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Cross‑Site Request Forgery in the shawfactor LH OGP Meta plugin enables an attacker to inject malicious scripts that are stored forever in the website’s metadata. When a user loads a page that includes the compromised metadata, the script executes in the browser, allowing the attacker to deface the site, hijack user sessions, or redirect traffic. The weakness is classified as CWE‑352, indicating that the system fails to protect against unauthorized state changes triggered by forged requests.

Affected Systems

WordPress sites that use the shawfactor LH OGP Meta plugin version 1.73 or earlier are affected. Any installation that has the plugin installed and contains meta tag entries managed by that plugin is vulnerable. The plugin is typically used to add Open Graph tags for social media optimization, making it common across many WordPress sites.

Risk and Exploitability

The CVSS score of 7.1 signals a high risk of exploitation. The EPSS score of less than 1 % indicates that the vulnerability is rarely exploited at the time of assessment, and it is not listed in the CISA KEV catalog. Based on the definition, it is inferred that an attacker could craft an HTTP request that bypasses the CSRF check, which might be delivered via a malicious link or phishing message. Once the store‑time script is added, any visitor to the site will execute the injected code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

shawfactor

LH OGP Meta

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.73

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the LH OGP Meta plugin to the latest released version that drops the CSRF flaw.
If an upgrade cannot be performed immediately, disable the plugin or delete all metadata entries created by it to eliminate the stored script from the site.
Verify that WordPress core and all other plugins enforce correct CSRF tokens and limit privileged access to trusted administrators.

Generated by OpenCVE AI on May 2, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7917	Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta allows Stored XSS. This issue affects LH OGP Meta: from n/a through 1.73.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00168.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/lh-ogp-meta-tags/vulnerability/wordpress-lh-ogp-meta-plugin-1-73-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta allows Stored XSS. This issue affects LH OGP Meta: from n/a through 1.73.	Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta lh-ogp-meta-tags allows Stored XSS.This issue affects LH OGP Meta: from n/a through <= 1.73.
References	https://patchstack.com/database/wordpress/plugin/lh-ogp-meta-tags/vulnerability/wordpress-lh-ogp-meta-plugin-1-73-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/lh-ogp-meta-tags/vulnerability/wordpress-lh-ogp-meta-plugin-1-73-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Tue, 25 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Mar 2025 14:00:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta allows Stored XSS. This issue affects LH OGP Meta: from n/a through 1.73.
Title		WordPress LH OGP Meta plugin <= 1.73 - CSRF to Stored XSS Vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/lh-ogp-meta-tags/vulnerability/wordpress-lh-ogp-meta-plugin-1-73-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-03-24T13:47:13.936Z

Updated: 2026-04-28T16:11:54.803Z

Reserved: 2025-03-24T13:00:24.105Z

Link: CVE-2025-30587

Vulnrichment

Updated: 2025-03-25T18:20:10.599Z

NVD

Status : Deferred

Published: 2025-03-24T14:15:30.910

Modified: 2026-06-17T09:08:58.197

Link: CVE-2025-30587

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T03:30:16Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object