Description
Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer windows-live-writer allows Stored XSS.This issue affects Windows Live Writer: from n/a through <= 0.1.
Published: 2025-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to craft a request that a user’s browser will automatically submit, exploiting a Cross‑Site Request Forgery flaw. Because the request is processed by the WordPress Windows Live Writer plugin, the attacker can inject arbitrary JavaScript that is stored and executed whenever the affected content is viewed, leading to potential data theft or defacement.

Affected Systems

The plugin is developed by dalziel under the name Windows Live Writer. Versions from the first release through 0.1 are affected; no higher versions received the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. The EPSS score is listed as less than 1%, suggesting that, at the time of this analysis, exploitation is expected to be rare. The vulnerability is not included in the CISA KEV catalog. The likely attack vector is a targeted CSRF attack where the victim is prompted to visit a malicious page while authenticated to the site, allowing the attacker to insert stored XSS content without further user action.

Generated by OpenCVE AI on April 30, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Windows Live Writer version 0.1 or later. 
  • Ensure that your WordPress installation is up to date and that no older versions of the plugin remain installed. 
  • If a timely patch is unavailable, block the plugin’s endpoints that accept write operations by restricting access to trusted IP addresses or disabling the plugin entirely until a fix is applied.

Generated by OpenCVE AI on April 30, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10626 Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer allows Stored XSS. This issue affects Windows Live Writer: from n/a through 0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer allows Stored XSS. This issue affects Windows Live Writer: from n/a through 0.1. Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer windows-live-writer allows Stored XSS.This issue affects Windows Live Writer: from n/a through <= 0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 09 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in dalziel Windows Live Writer allows Stored XSS. This issue affects Windows Live Writer: from n/a through 0.1.
Title WordPress Windows Live Writer plugin <= 0.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:22.214Z

Reserved: 2025-04-09T11:18:53.987Z

Link: CVE-2025-32480

cve-icon Vulnrichment

Updated: 2025-04-09T17:40:46.533Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:40.433

Modified: 2026-04-23T15:28:57.540

Link: CVE-2025-32480

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:00:05Z

Weaknesses