Description
Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.
Published: 2025-12-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE identifies a CSRF flaw in the mg12 WP‑EasyArchives WordPress plugin that permits a malicious actor to construct a forged request. When an authenticated user submits the request, malicious code can be stored in the site’s content, creating a stored cross‑site scripting condition that will be executed for every visitor who loads the affected page. This weakness aligns with CWE‑352.

Affected Systems

The plugin WP‑EasyArchives, version 3.1.2 and all preceding versions, is affected. Any WordPress installation running mg12 WP‑EasyArchives 3.1.2 or earlier is at risk. The vendor identifier is mg12.

Risk and Exploitability

The CVSS base score of 7.1 reflects a high severity vulnerability. The EPSS score of less than 1% indicates a very low likelihood of exploitation recorded at the time of analysis, and the issue is not listed in the CISA KEV catalog. The threat hinges on an attacker identifying a logged‑in administrator or privileged user and delivering a CSRF payload that stores malicious script; because the vulnerability is stored, it persists until the plugin is upgraded or the request vector is blocked.

Generated by OpenCVE AI on April 30, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP‑EasyArchives to a version newer than 3.1.2 when a vendor patch is released
  • If an upgrade is not yet available, use a web application firewall or server rules to reject requests to the plugin’s administrative endpoints that do not contain a valid WordPress nonce token
  • Disable or remove the WP‑EasyArchives plugin until a fix is applied, preventing any opportunity for exploitation
  • Check the vendor’s site regularly for a patched release or security advisory

Generated by OpenCVE AI on April 30, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through 3.1.2. Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 31 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 05:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through 3.1.2.
Title WordPress WP-EasyArchives plugin <= 3.1.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:01.877Z

Reserved: 2025-06-04T09:42:34.939Z

Link: CVE-2025-49345

cve-icon Vulnrichment

Updated: 2025-12-31T17:33:27.835Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T06:15:40.957

Modified: 2026-04-23T15:31:30.413

Link: CVE-2025-49345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses