Description
Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kiotviet KiotViet Sync plugin contains a CSRF vulnerability that permits attackers to inject malicious script into the plugin’s stored data. When an authenticated WordPress user submits a crafted request—without a proper anti‑CSRF check—the plugin blindly records the supplied payload as part of a comment, title, or other stored content. Subsequent visits to pages that display the stored data execute the attacker’s script in the context of every site visitor, exposing the site to session hijacking, credential theft, or other code‑execution risks.

Affected Systems

All WordPress installations using Kiotviet KiotViet Sync version 1.8.4 or earlier are affected. The flaw is present in every release from the initial (non‑specified) version up to and including 1.8.4. No operating‑system, PHP, or WordPress version constraints are listed; the vulnerability resides solely in the plugin code.

Risk and Exploitability

With a CVSS score of 7.1 the risk is considered high, yet the EPSS score of less than 1% indicates that active exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be web‑based, relying on an authenticated user’s browser session and a malformed request that the plugin accepts without a nonce or other CSRF countermeasure. The potential impact includes loss of confidentiality, integrity, and availability for all visitors to the affected site.

Generated by OpenCVE AI on May 1, 2026 at 09:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kiotviet KiotViet Sync plugin to the latest version that includes the CSRF fix; verify that the update removes the vulnerable handler.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the attack surface, or restrict administrator access to the plugin’s admin pages while applying a strict session token or nonce on all form submissions if the plugin allows such customizations.
  • Deploy a Web Application Firewall rule or content‑security policy that blocks or sanitizes JavaScript payloads posted to the plugin’s endpoints, thereby preventing malicious scripts from being stored and subsequently executed.

Generated by OpenCVE AI on May 1, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12072 Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Stored XSS.This issue affects KiotViet Sync: from n/a through <= 1.8.5. Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.
Title WordPress KiotViet Sync plugin <= 1.8.5 - CSRF to Stored XSS vulnerability WordPress KiotViet Sync plugin <= 1.8.4 - CSRF to Stored XSS vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4. Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Stored XSS.This issue affects KiotViet Sync: from n/a through <= 1.8.5.
Title WordPress KiotViet Sync plugin <= 1.8.4 - CSRF to Stored XSS vulnerability WordPress KiotViet Sync plugin <= 1.8.5 - CSRF to Stored XSS vulnerability
References

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Kiotviet KiotViet Sync allows Stored XSS. This issue affects KiotViet Sync: from n/a through 1.8.4.
Title WordPress KiotViet Sync plugin <= 1.8.4 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.819Z

Reserved: 2025-04-16T06:22:35.637Z

Link: CVE-2025-39381

cve-icon Vulnrichment

Updated: 2025-04-24T19:55:59.508Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:31.423

Modified: 2026-04-28T19:31:54.560

Link: CVE-2025-39381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses