Description
Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup xm-backup allows Stored XSS.This issue affects XM-Backup: from n/a through <= 0.9.1.
Published: 2025-08-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to store malicious JavaScript into content handled by the XM‑Backup plugin. Once stored, the script executes in the browsers of any user who views the affected content, potentially exposing session cookies, defacing sites, or enabling further attacks. The weakness is a CSRF flaw (CWE‑352) that is escalated to a stored XSS vector.

Affected Systems

All WordPress sites using Xavier Media’s XM‑Backup plugin with versions up to and including 0.9.1 are vulnerable. No specific patch version is listed, but the issue applies to every installation of the plugin at or below this version.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact if exploited. However, the EPSS score of less than 1% shows that the likelihood of current exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to lure a logged‑in user, likely an administrator, to an authenticated request that injects the malicious payload. Once the payload is stored, any visitor to the compromised content will trigger the script. The risk is concentrated on sites that allow content editing via the plugin without proper CSRF checks.

Generated by OpenCVE AI on April 30, 2026 at 08:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XM‑Backup plugin to a version newer than 0.9.1, ensuring the vendor’s fix is applied.
  • If an update is not available, remove or deactivate the plugin to eliminate the attack surface.
  • Deploy a web application firewall rule that rejects or sanitizes payloads containing script tags coming from the plugin’s data fields.
  • Enable two‑factor authentication for WordPress administrator accounts and limit admin access to reduce the chance of successful CSRF execution.

Generated by OpenCVE AI on April 30, 2026 at 08:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26056 Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup allows Stored XSS. This issue affects XM-Backup: from n/a through 0.9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup allows Stored XSS. This issue affects XM-Backup: from n/a through 0.9.1. Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup xm-backup allows Stored XSS.This issue affects XM-Backup: from n/a through <= 0.9.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup allows Stored XSS. This issue affects XM-Backup: from n/a through 0.9.1.
Title WordPress XM-Backup plugin <= 0.9.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.664Z

Reserved: 2025-05-15T17:54:48.128Z

Link: CVE-2025-48109

cve-icon Vulnrichment

Updated: 2025-08-28T13:34:47.662Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:37.073

Modified: 2026-04-23T15:30:48.780

Link: CVE-2025-48109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)