Description
Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator wp-odoo-form-integrator allows Stored XSS.This issue affects WP Odoo Form Integrator: from n/a through <= 1.1.0.
Published: 2025-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to forge a request that a site visitor submits, causing malicious script to be stored through the WP Odoo Form Integrator plugin and executed in the browser of any user who views the affected content. This results in the compromise of confidentiality and integrity of the affected site, as the injected script could steal credentials, log keystrokes, or launch further attacks. The weakness is identified as a Cross‑Site Request Forgery that leads to stored XSS.

Affected Systems

WordPress sites running the coderscom WP Odoo Form Integrator plugin version 1.1.0 or earlier are impacted. No other vendors or product versions are currently listed as affected.

Risk and Exploitability

The CVSS score of 7.1 reflects a high severity assessment, while an EPSS score of <1% indicates a low probability of exploitation in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted request to a site user, which could be delivered via a phishing link or embedded in a malicious web page, exploiting the absence of proper CSRF tokens to inject and store arbitrary JavaScript.

Generated by OpenCVE AI on May 1, 2026 at 04:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the WP Odoo Form Integrator plugin, which removes the CSRF deficiency and prevents stored XSS; if an update is not yet available, upgrade to any newer release that addresses the issue.
  • If the plugin is not required for site functionality, remove it entirely to eliminate the attack surface.
  • Implement additional CSRF protection for all WordPress forms and validate or sanitize all user-supplied content before storage to prevent stored XSS, as a supplementary safeguard.

Generated by OpenCVE AI on May 1, 2026 at 04:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7918 Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator allows Stored XSS. This issue affects WP Odoo Form Integrator: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator allows Stored XSS. This issue affects WP Odoo Form Integrator: from n/a through 1.1.0. Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator wp-odoo-form-integrator allows Stored XSS.This issue affects WP Odoo Form Integrator: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator allows Stored XSS. This issue affects WP Odoo Form Integrator: from n/a through 1.1.0.
Title WordPress WP Odoo Form Integrator plugin <=1.1.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.885Z

Reserved: 2025-03-24T13:00:55.838Z

Link: CVE-2025-30620

cve-icon Vulnrichment

Updated: 2025-03-24T21:21:18.209Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:34.520

Modified: 2026-04-23T15:26:59.167

Link: CVE-2025-30620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:30:08Z

Weaknesses