Description
Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header add-to-header allows Stored XSS.This issue affects Add to Header: from n/a through <= 1.0.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to forge a request to the WordPress site, leading the plugin to store malicious JavaScript code in a header that is later rendered on all pages. Once the code is executed, the attacker can hijack users’ sessions, steal credentials, or perform further attacks. The weakness is a classic CSRF that results in stored XSS, classified as CWE‑352.

Affected Systems

Jenst Add to Header plugin, any WordPress installation using versions up to and including 1.0. No specific sub‑versions are disclosed, so the entire < 1.0 range is considered vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that mass exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the forged request from a malicious web page or link that the victim follows, resulting in injection of stored script into the site’s header.

Generated by OpenCVE AI on April 30, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jenst Add to Header to the most recent available version that addresses the CSRF to XSS flaw.
  • If an update is not yet available, temporarily remove or deactivate the plugin to prevent the stored XSS from being served.
  • Implement a CSRF protection mechanism on the site (e.g., a security plugin that adds anti‑CSRF tokens to all forms) to reduce the risk of similar attacks in the future.

Generated by OpenCVE AI on April 30, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11565 Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header allows Stored XSS. This issue affects Add to Header: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header allows Stored XSS. This issue affects Add to Header: from n/a through 1.0. Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header add-to-header allows Stored XSS.This issue affects Add to Header: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jenst Add to Header allows Stored XSS. This issue affects Add to Header: from n/a through 1.0.
Title WordPress Add to Header plugin <= 1.0 - CSRF to XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:31.277Z

Reserved: 2025-04-16T06:23:07.436Z

Link: CVE-2025-39423

cve-icon Vulnrichment

Updated: 2025-04-17T16:06:06.337Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:52.203

Modified: 2026-04-23T15:29:31.577

Link: CVE-2025-39423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:30:02Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)