Description
The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the 'abundatrade' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-05-03
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via CSRF in Abundatrade Plugin
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from a missing or incorrect nonce validation on the 'abundatrade' page of the Abundatrade WordPress plugin, allowing an unauthenticated attacker to forge a request and modify the plugin's settings. By injecting malicious scripts through the forgery, the attacker can store cross‑site scripting code that will execute in the context of an administrator who later visits the site. The weakness is classified as CWE‑352, which represents improper or missing validation of intended authorization. Because the redirected script runs with the privileges of the site admin, an attacker can hijack sessions, deface the site, or exfiltrate sensitive content.

Affected Systems

The plugin is distributed by withinboredom and is available on the WordPress plugin repository. Versions up to and including 1.8.02 are affected. The vulnerability is specific to the Abundatrade Plugin within WordPress installations that have the plugin activated. No other WordPress core components are impacted.

Risk and Exploitability

The CVSS score of 6.1 denotes a moderate severity. EPSS < 1% indicates the likelihood of exploitation is very low at present, and the vulnerability has not been listed in the CISA KEV catalog. The attack requires a social engineering step; the attacker must supply a crafted link to a site administrator who then clicks it, triggering the CSRF request. Because the vulnerable action runs as an authenticated administrator, the impact of successful exploitation is high, underlining the importance of timely remediation.

Generated by OpenCVE AI on April 21, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Abundatrade Plugin to the latest version available from the WordPress plugin repository, which is expected to contain the nonce validation fix.
  • If an upgrade is not immediately possible, disable or delete the plugin from the site entirely.
  • Block external access to the 'abundatrade' admin endpoint by using a web application firewall or restricting the page to trusted IP ranges.
  • Review all administrative plugins for proper nonce checks and consider installing a site‑wide request forgery prevention plugin.

Generated by OpenCVE AI on April 21, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13310 The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the 'abundatrade' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 05 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 03 May 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Abundatrade Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.02. This is due to missing or incorrect nonce validation on the 'abundatrade' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Abundatrade Plugin <= 1.8.02 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:57.680Z

Reserved: 2025-05-01T13:18:25.138Z

Link: CVE-2025-4199

cve-icon Vulnrichment

Updated: 2025-05-05T14:40:39.705Z

cve-icon NVD

Status : Deferred

Published: 2025-05-03T03:15:29.070

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4199

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses