Description
Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 spolecznosciowa-6-pl-2013 allows Stored XSS.This issue affects Społecznościowa 6 PL 2013: from n/a through <= 2.0.6.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to store malicious script payloads in the WordPress plugin Spolecznosciowa 6 PL 2013. The injected script is executed in the browsers of any user who views the affected content, leading to a stored cross‑site scripting condition. This weakness is classified as CWE‑352.

Affected Systems

The plugin Spolecznosciowa 6 PL 2013, provided by szajenw, is vulnerable in all released versions through 2.0.6. Any WordPress site running a version of this plugin within that range faces the risk.

Risk and Exploitability

With a CVSS score of 7.1, the flaw carries a high severity assessment. Its EPSS score is below 1 percent, indicating a low but non‑zero likelihood that automated exploitation attempts are in use. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires a crafted HTTP request that an authenticated (or logged‑in) user can execute, which injects persistent JavaScript into the site – a vulnerable user receiving a trick link or a PoC payload can trigger the stored XSS and compromise all visitors who view the contaminated content.

Generated by OpenCVE AI on April 30, 2026 at 10:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spolecznosciowa 6 PL 2013 to the latest release that removes the CSRF flaw, ensuring your WordPress site runs a patched version.
  • If an update is unavailable or impractical, uninstall the plugin completely to eliminate the risk vector.
  • Restrict content‑submission permissions so that only administrators or trusted users can use the plugin’s input features, reducing the potential for malicious payloads.
  • Implement a site‑wide Content Security Policy that blocks inline script execution to mitigate any remaining stored XSS impact.

Generated by OpenCVE AI on April 30, 2026 at 10:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28518 Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6. Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 spolecznosciowa-6-pl-2013 allows Stored XSS.This issue affects Społecznościowa 6 PL 2013: from n/a through <= 2.0.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6.
Title WordPress Społecznościowa 6 PL 2013 plugin <= 2.0.6 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.942Z

Reserved: 2025-06-27T11:59:22.191Z

Link: CVE-2025-53329

cve-icon Vulnrichment

Updated: 2025-06-27T17:00:43.848Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:55.687

Modified: 2026-04-23T15:32:30.317

Link: CVE-2025-53329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:15:34Z

Weaknesses