Description
Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite twitch-tv-embed-suite allows Stored XSS.This issue affects Twitch TV Embed Suite: from n/a through <= 2.1.0.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw found in the Twitch TV Embed Suite plugin up to version 2.1.0. It allows an authenticated user to trigger a request that stores malicious JavaScript payloads in the WordPress database. When that content is later displayed, the injected script executes in the browser, giving the attacker the ability to steal session cookies, deface pages, or perform other typical stored XSS attacks.

Affected Systems

All WordPress sites that have the Twitch TV Embed Suite plugin from plumwd installed with a version number less than or equal to 2.1.0 are affected. The issue is present in every release prior to 2.1.1, as indicated by the vulnerability’s version range.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity, but the EPSS score of less than 1 % suggests a low likelihood of exploitation. The vulnerability has not appeared in CISA’s KEV catalog. An attacker would need to send a crafted link to a logged‑in user or otherwise induce that user to make the vulnerable request. Once the stored XSS payload is executed, the attacker can hijack sessions or exfiltrate sensitive data. No public exploits have been reported, but the combination of a CSRF trigger and persistent XSS grants significant impact if successfully exploited.

Generated by OpenCVE AI on May 1, 2026 at 07:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Twitch TV Embed Suite plugin to the latest version, which addresses the CSRF issue.
  • If an immediate upgrade is not possible, disable or remove the plugin to eliminate the vulnerable code path.
  • Inspect and remove any stored content that may contain malicious scripts, including posts, widgets, or settings, to prevent legacy XSS execution.

Generated by OpenCVE AI on May 1, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28510 Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0. Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite twitch-tv-embed-suite allows Stored XSS.This issue affects Twitch TV Embed Suite: from n/a through <= 2.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0.
Title WordPress Twitch TV Embed Suite plugin <= 2.1.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.549Z

Reserved: 2025-06-27T11:59:14.508Z

Link: CVE-2025-53313

cve-icon Vulnrichment

Updated: 2025-06-27T17:00:57.648Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:53.663

Modified: 2026-04-23T15:32:28.547

Link: CVE-2025-53313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:15:11Z

Weaknesses