Description
Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1.
Published: 2025-12-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CSRF) allows an attacker to store malicious JavaScript on a WordPress site that uses the WP sIFR plugin. Once an authenticated user visits a page or posts content, the injected script executes in that visitor’s browser, compromising the confidentiality, integrity, and availability of the site and potentially hijacking user sessions. The vulnerability is classified as CWE‑352.

Affected Systems

WordPress sites running the WP sIFR plugin version 0.6.8.1 or earlier are affected. The vulnerability applies to all earlier releases, as no lower version boundary is specified.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. With an EPSS score of less than 1 %, the likelihood of exploitation is low, and the issue is not listed in CISA’s KEV catalog. The CSRF flaw most likely requires the victim to be a logged‑in user who is induced to visit a crafted URL or submit a forged request, thereby exercising the vulnerability and triggering the stored cross‑site scripting.

Generated by OpenCVE AI on April 29, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP sIFR plugin to the latest available version that contains the CSRF fix.
  • If the plugin is no longer required, uninstall or disable it from the WordPress plugin manager.
  • Adopt broader WordPress hardening practices such as enforcing strong passwords, enabling two‑factor authentication, and restricting the WordPress admin URL to reduce risk while the issue is pending a patch.

Generated by OpenCVE AI on April 29, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1.
Title WordPress WP sIFR plugin <= 0.6.8.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:21:49.061Z

Reserved: 2025-06-04T09:42:34.940Z

Link: CVE-2025-49347

cve-icon Vulnrichment

Updated: 2025-12-11T20:49:35.747Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:17:58.253

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:30:18Z

Weaknesses