Description
Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe navayan-subscribe allows Stored XSS.This issue affects Navayan Subscribe: from n/a through <= 1.13.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw results from the Navayan Subscribe plugin lacking CSRF protection. An attacker can submit malicious input that the plugin stores without validation, causing a persistent XSS payload that runs in the browsers of anyone who views the affected content. The stored script can steal user credentials, deface the site, or deliver malware, compromising both data integrity and user confidentiality.

Affected Systems

All releases of the Navayan Subscribe plugin, developed by Amol Nirmala Waman, from the initial version through 1.13 are impacted because none include the missing CSRF check.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, yet the EPSS score of less than 1% shows that exploitation is currently uncommon. The flaw is not listed in CISA KEV. Based on the description, the likely attack vector is an attacker crafting a forged HTTP request from a malicious site to trigger the Navayan Subscribe action, causing the plugin to store malicious script that will be served to any visitor. Such stored XSS can steal credentials, deliver malware, or deface the site, compromising user confidentiality and data integrity.

Generated by OpenCVE AI on May 1, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the plugin’s official website or repository for a patched release that implements CSRF protection and upgrade to it as soon as possible.
  • If a patch is not yet available, deactivate or remove the Navayan Subscribe plugin to eliminate the vulnerable code and any stored malicious content from the site.
  • For any remaining forms or input handling, enforce CSRF tokens and sanitize or escape output so that stored XSS cannot be introduced in the future.

Generated by OpenCVE AI on May 1, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28508 Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13. Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe navayan-subscribe allows Stored XSS.This issue affects Navayan Subscribe: from n/a through <= 1.13.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13.
Title WordPress Navayan Subscribe plugin <= 1.13 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Amol Nirmala Waman Navayan Subscribe Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.559Z

Reserved: 2025-06-27T11:59:06.867Z

Link: CVE-2025-53311

cve-icon Vulnrichment

Updated: 2025-06-27T17:01:03.238Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:53.280

Modified: 2026-04-23T15:32:28.313

Link: CVE-2025-53311

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses