Description
Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps drop-caps allows Stored XSS.This issue affects Drop Caps: from n/a through <= 2.1.
Published: 2025-04-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability in the Drop Caps plugin allows an attacker to store malicious JavaScript code that is executed when any user visits pages with the injected content. The weakness, identified as CWE‑352, means that an attacker with the ability to craft a request can exploit the plugin’s lack of proper CSRF protection to write arbitrary payloads into stored data.

Affected Systems

The issue affects the tomontoast Drop Caps WordPress plugin for versions up to and including 2.1. All earlier releases are also vulnerable as the affected range is stated as "from n/a through <= 2.1".

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity and an EPSS score of < 1% suggests the probability of exploitation is currently low, though not zero. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires an authenticated session that can submit plugin data, implying the attack would most likely originate from a malicious user account or through a session hijack that performs a CSRF POST request. The risk remains moderate due to the limited scope of compromised users and the need for valid credentials.

Generated by OpenCVE AI on May 1, 2026 at 09:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drop Caps plugin to the latest version (2.2 or later).
  • Disable the Drop Caps plugin until a patched version is available.
  • Ensure all forms that interact with the plugin include WordPress nonce verification to guard against CSRF attempts.

Generated by OpenCVE AI on May 1, 2026 at 09:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12017 Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps allows Stored XSS. This issue affects Drop Caps: from n/a through 2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps allows Stored XSS. This issue affects Drop Caps: from n/a through 2.1. Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps drop-caps allows Stored XSS.This issue affects Drop Caps: from n/a through <= 2.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps allows Stored XSS. This issue affects Drop Caps: from n/a through 2.1.
Title WordPress Drop Caps plugin <= 2.1 - CSRF to XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:39.177Z

Reserved: 2025-04-24T14:23:02.621Z

Link: CVE-2025-46495

cve-icon Vulnrichment

Updated: 2025-04-24T19:54:47.552Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:40.140

Modified: 2026-04-23T15:30:06.780

Link: CVE-2025-46495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:15:13Z

Weaknesses