Description
Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg konami-easter-egg allows Stored XSS.This issue affects Konami Easter Egg: from n/a through <= v0.4.
Published: 2025-06-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can exploit a CSRF flaw in the Konami Easter Egg plugin to inject persistent malicious scripts into a WordPress site. The vulnerability permits the attacker to submit crafted form data that is stored and later rendered to all visitors, resulting in a stored cross‑site scripting condition. The flaw stems from insufficient protection against unauthorized state‑changing requests, allowing script payloads to be persisted without user confirmation.

Affected Systems

The vulnerable plugin is Adrian Hanft’s Konami Easter Egg for WordPress, affecting all releases up to and including version 0.4. Any WordPress installation that has this plugin installed in one of those versions is exposed. No other products or vendors are listed in the advisory.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high‑medium severity. The EPSS of less than 1% indicates that exploitation is unlikely to be widespread yet, and the flaw is not included in the CISA KEV catalog, suggesting no documented active attacks. Attackers would likely use a crafted web page or social‑engineering tactics to force an authenticated user’s browser to send the forged request, then rely on the stored XSS to compromise visitors’ browsers.

Generated by OpenCVE AI on April 30, 2026 at 11:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Konami Easter Egg plugin to the latest release (v0.5 or later) to eliminate the CSRF and XSS flaw.
  • If an update is not yet available, uninstall or disable the plugin entirely to remove the attack vector.
  • Ensure that WordPress’s CSRF protection (nonce validation) is active for plugin actions, or employ a security plugin that enforces CSRF tokens on all state‑changing requests.

Generated by OpenCVE AI on April 30, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17301 Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg allows Stored XSS. This issue affects Konami Easter Egg: from n/a through v0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg allows Stored XSS. This issue affects Konami Easter Egg: from n/a through v0.4. Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg konami-easter-egg allows Stored XSS.This issue affects Konami Easter Egg: from n/a through <= v0.4.
Title WordPress Konami Easter Egg <= v0.4 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Konami Easter Egg plugin <= v0.4 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 06 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft Konami Easter Egg allows Stored XSS. This issue affects Konami Easter Egg: from n/a through v0.4.
Title WordPress Konami Easter Egg <= v0.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.226Z

Reserved: 2025-06-04T15:44:22.453Z

Link: CVE-2025-49425

cve-icon Vulnrichment

Updated: 2025-06-06T13:44:36.857Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:53.483

Modified: 2026-04-23T15:31:39.680

Link: CVE-2025-49425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses