Description
Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 duoshuo allows Cross Site Request Forgery.This issue affects 多说社会化评论框: from n/a through <= 1.2.
Published: 2025-08-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in the shen2 多说社会化评论框 WordPress plugin permits an attacker to force a logged‑in user to send requests that alter the plugin’s configuration. The vulnerability, identified with CWE‑352, can be used only when an authenticated account with sufficient privileges interacts with the plugin’s settings interface, and it does not provide direct code execution or privilege escalation.

Affected Systems

WordPress sites that have the shen2 多说社会化评论框 plugin installed in version 1.2 or older are affected. The CVE description does not specify any particular WordPress core version or additional components.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium impact. The EPSS score of less than 1 percent indicates a relatively low likelihood of exploitation, and the flaw is not listed in the CISA KEV catalog. Attackers would need a user with an active session capable of reaching the plugin’s settings page; no external access or privileged user is required beyond that. Exploitation would only change configuration values, so the window to detection is limited to monitoring of administrative activity.

Generated by OpenCVE AI on May 1, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the shen2 多说社会化评论框 plugin to a version newer than 1.2 or remove the plugin entirely if no update is available.
  • If no fix is available, limit access to the plugin’s settings pages so that only administrators can reach them and consider adding an additional verification step for configuration changes.
  • Monitor administrative activity for unexpected configuration changes, as the vulnerability can only be triggered by an authenticated session.

Generated by OpenCVE AI on May 1, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26041 Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 allows Cross Site Request Forgery. This issue affects 多说社会化评论框: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 allows Cross Site Request Forgery. This issue affects 多说社会化评论框: from n/a through 1.2. Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 duoshuo allows Cross Site Request Forgery.This issue affects 多说社会化评论框: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 allows Cross Site Request Forgery. This issue affects 多说社会化评论框: from n/a through 1.2.
Title WordPress 多说社会化评论框 plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:56.127Z

Reserved: 2025-05-19T14:13:53.900Z

Link: CVE-2025-48318

cve-icon Vulnrichment

Updated: 2025-08-28T17:55:37.100Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:45.243

Modified: 2026-04-23T15:31:05.743

Link: CVE-2025-48318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)