Description
Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress betpress allows Stored XSS.This issue affects BetPress: from n/a through <= 1.0.1 Lite.
Published: 2025-08-28
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw in the BetPress WordPress plugin allows an attacker to inject a malicious script into the site’s content store, resulting in persistent cross‑site scripting. This flaw is a CWE‑352 vulnerability, enabling the attacker to bypass normal user permissions. The attacker can then exploit any user who views the compromised content to execute arbitrary code, steal session information, or perform further attacks against the host.

Affected Systems

The vulnerability affects the BetPress plugin for WordPress from its earliest release until version 1.0.1 Lite. Any WordPress installation using BetPress 1.0.1 Lite or earlier is potentially exposed, regardless of the WordPress core version or other plugins.

Risk and Exploitability

The CVSS score of 7.1 indicates a fairly high impact if exploited. The EPSS score of less than 1 % shows that exploitation is currently unlikely, and the issue is not listed in the CISA KEV catalog, suggesting no known active exploits. Based on the description, the attack vector is inferred to be via CSRF: a malicious user or website can craft a request that forces the victim to submit a forged form that stores a malicious script. Successful exploitation would depend on the victim visiting the transposed link and interacting with the site, making user interaction a prerequisite.

Generated by OpenCVE AI on April 30, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BetPress plugin to the latest version that contains the CSRF mitigation and XSS fix.
  • If an update is not available, remove or deactivate the BetPress plugin entirely to eliminate the attack surface.
  • Enable WordPress nonce validation for all forms and enforce SameSite and HTTPOnly cookie attributes to reduce CSRF risk; additionally, configure a Content Security Policy that blocks inline scripts to mitigate stored XSS.

Generated by OpenCVE AI on April 30, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26049 Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress allows Stored XSS. This issue affects BetPress: from n/a through 1.0.1 Lite.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress allows Stored XSS. This issue affects BetPress: from n/a through 1.0.1 Lite. Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress betpress allows Stored XSS.This issue affects BetPress: from n/a through <= 1.0.1 Lite.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress allows Stored XSS. This issue affects BetPress: from n/a through 1.0.1 Lite.
Title WordPress BetPress plugin <= 1.0.1 Lite - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:55.832Z

Reserved: 2025-05-19T14:13:45.513Z

Link: CVE-2025-48309

cve-icon Vulnrichment

Updated: 2025-08-28T13:34:33.705Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:38.583

Modified: 2026-04-23T15:31:04.720

Link: CVE-2025-48309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses