Description
Cross-Site Request Forgery (CSRF) vulnerability in Trân Minh-Quân WPVN wpvn-username-changer allows Cross Site Request Forgery.This issue affects WPVN: from n/a through <= 0.7.8.
Published: 2025-04-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WPVN wpvn-username-changer contains no protection against cross‑site request forgery, allowing an attacker to craft a request that is processed as if it originated from an authenticated user. This leads to unauthorized changes of user account details such as usernames. The weakness is a missing or improperly validated CSRF token, classified as CWE‑352. The primary impact is the corruption of user data integrity and potential loss of trust in the application.

Affected Systems

WordPress sites running the Trân Minh‑Quân WPVN plugin with a version equal to or earlier than 0.7.8 are affected. Versions newer than 0.7.8 contain the mitigated code.

Risk and Exploitability

The CVSS score of 4.3 represents moderate overall risk, emphasizing the impact on data integrity for authenticated users. The EPSS score is below 1%, indicating little evidence of current exploitation. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves an authenticated user visiting a malicious site that submits a forged request to the vulnerable plugin endpoint, exploiting the missing CSRF protection.

Generated by OpenCVE AI on May 2, 2026 at 08:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPVN wpvn-username-changer plugin to the latest version available (≥ 0.7.9) to eliminate the missing CSRF protection.
  • If the latest version is unavailable or the upgrade requires downtime, temporarily disable the plugin or remove the username change functionality until the vulnerability is addressed.
  • Implement CSRF token validation for any custom or third‑party interfaces that modify user data – use WordPress nonces or a dedicated CSRF mitigation plugin – to guard against forged requests.

Generated by OpenCVE AI on May 2, 2026 at 08:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12048 Cross-Site Request Forgery (CSRF) vulnerability in Trân Minh-Quân WPVN allows Cross Site Request Forgery. This issue affects WPVN: from n/a through 0.7.8.
History

Thu, 30 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Trân Minh-Quân WPVN allows Cross Site Request Forgery. This issue affects WPVN: from n/a through 0.7.8. Cross-Site Request Forgery (CSRF) vulnerability in Trân Minh-Quân WPVN wpvn-username-changer allows Cross Site Request Forgery.This issue affects WPVN: from n/a through <= 0.7.8.
Title WordPress WPVN <= 0.7.8 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WPVN plugin <= 0.7.8 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Trân Minh-Quân WPVN allows Cross Site Request Forgery. This issue affects WPVN: from n/a through 0.7.8.
Title WordPress WPVN <= 0.7.8 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.963Z

Reserved: 2025-04-24T14:22:30.738Z

Link: CVE-2025-46462

cve-icon Vulnrichment

Updated: 2025-04-24T19:55:28.634Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:37.040

Modified: 2026-04-23T15:30:02.320

Link: CVE-2025-46462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses