Description
Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting time-based-greeting allows Stored XSS.This issue affects Time Based Greeting: from n/a through <= 2.2.2.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that permits a malicious actor to inject and store arbitrary JavaScript in the plugin. When the forged request is processed, the injected script executes in the context of the victim’s browser, resulting in Stored Cross‑Site Scripting. This can lead to session hijacking, defacement, or execution of arbitrary code in the victim’s browser.

Affected Systems

WordPress installations that have the Time Based Greeting plugin from Yash Binani installed at versions 2.2.2 or earlier are affected. No lower bound is listed, but any installation running at or before 2.2.2 is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates medium‑high severity. The EPSS score of less than 1% shows a low probability of exploitation, and the vulnerability is not listed in CISA KEV. The likely attack vector involves an attacker crafting a malicious web page that causes an authenticated user to submit a forged request to the plugin’s endpoint, exploiting the missing CSRF protection and causing the stored XSS payload to execute in that user’s browser.

Generated by OpenCVE AI on April 30, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Time Based Greeting plugin to version 2.2.3 or later.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin until a patched version becomes available.
  • Ensure that all state‑changing requests to the plugin include a valid CSRF nonce and that any stored data is properly sanitized or that the ability to store arbitrary scripts is removed.

Generated by OpenCVE AI on April 30, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12085 Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting allows Stored XSS. This issue affects Time Based Greeting: from n/a through 2.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting allows Stored XSS. This issue affects Time Based Greeting: from n/a through 2.2.2. Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting time-based-greeting allows Stored XSS.This issue affects Time Based Greeting: from n/a through <= 2.2.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Yash Binani Time Based Greeting allows Stored XSS. This issue affects Time Based Greeting: from n/a through 2.2.2.
Title WordPress Time Based Greeting plugin <= 2.2.2 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.300Z

Reserved: 2025-04-24T14:22:09.615Z

Link: CVE-2025-46435

cve-icon Vulnrichment

Updated: 2025-04-24T19:55:53.692Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:34.613

Modified: 2026-04-23T15:29:59.030

Link: CVE-2025-46435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:15:06Z

Weaknesses