Description
Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout contribuinte-checkout allows Stored XSS.This issue affects Contribuinte Checkout: from n/a through <= 2.0.03.
Published: 2025-05-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows an attacker to store a malicious script in the plugin’s data. Stored XSS can lead to client‑side code execution, which may be used to steal user information, deface the site, or redirect visitors to phishing sites. The weakness is identified as CWE‑352, a classic CSRF fault that bypasses user authorization.

Affected Systems

This issue affects the Moloni Contribuinte Checkout WordPress plugin for all versions from the earliest available release through version 2.0.03 inclusive. The plugin is used by WordPress sites that require integration with Moloni’s invoicing system.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score of <1% suggests that exploitation is unlikely at the current time, and the vulnerability is not present in the CISA KEV list. The likely attack vector is a forged request from a malicious site, exploiting the missing CSRF protection to inject and store a script that later executes in the context of site visitors.

Generated by OpenCVE AI on April 30, 2026 at 13:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Contribuinte Checkout plugin release that contains the CSRF to stored XSS fix (at least version 2.0.04 if available).
  • If an update is not yet available, disable or remove the Contribuinte Checkout plugin until a fix is released.
  • Require a unique nonce or token (for example, WordPress nonces) on all user‑generated forms and validate it on submission to prevent CSRF.
  • Scan the site for any malicious scripts that may have been stored due to the vulnerability and remove them.

Generated by OpenCVE AI on April 30, 2026 at 13:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13722 Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout allows Stored XSS. This issue affects Contribuinte Checkout: from n/a through 2.0.02.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout allows Stored XSS. This issue affects Contribuinte Checkout: from n/a through 2.0.02. Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout contribuinte-checkout allows Stored XSS.This issue affects Contribuinte Checkout: from n/a through <= 2.0.03.
Title WordPress Contribuinte Checkout plugin <= 2.0.02 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability WordPress Contribuinte Checkout plugin <= 2.0.03 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.00019}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout allows Stored XSS. This issue affects Contribuinte Checkout: from n/a through 2.0.02.
Title WordPress Contribuinte Checkout plugin <= 2.0.02 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.616Z

Reserved: 2025-05-07T10:45:37.287Z

Link: CVE-2025-47685

cve-icon Vulnrichment

Updated: 2025-05-07T17:18:31.104Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:20.483

Modified: 2026-04-23T15:30:44.597

Link: CVE-2025-47685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:15:37Z

Weaknesses