Description
Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule buffer-my-post allows Reflected XSS.This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through <= 2020.1.0.
Published: 2025-09-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery vulnerability exists in the WordPress Buffer – HYPESocial plugin that can be leveraged to execute reflected cross‑site scripting attacks. The flaw allows an attacker to craft a request that the authenticated user unknowingly submits, resulting in unintended actions or injected script execution within the user’s context.

Affected Systems

The vulnerability affects the WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule plugin for all releases up to and including version 2020.1.0. The plugin is distributed by Dejan Markovic.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity risk, but the EPSS score of less than 1 % suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user with a logged‑in session that has permission to use the plugin; the likely attack vector is a web request manipulated by an attacker, though specific details are not provided in the description.

Generated by OpenCVE AI on April 30, 2026 at 02:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Buffer – HYPESocial plugin to a version newer than 2020.1.0 once a fix is released.
  • If no update is available, permanently disable or remove the plugin to eliminate the attack surface until a patch is issued.
  • Configure WordPress to enforce CSRF token validation on all POST requests and restrict the plugin’s capabilities to the minimal role necessary for its intended use.

Generated by OpenCVE AI on April 30, 2026 at 02:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26931 Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule allows Reflected XSS. This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through 2020.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule allows Reflected XSS. This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through 2020.1.0. Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule buffer-my-post allows Reflected XSS.This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through <= 2020.1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 05 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule allows Reflected XSS. This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through 2020.1.0.
Title WordPress WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule Plugin <= 2020.1.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:46:42.858Z

Reserved: 2025-09-05T10:49:49.115Z

Link: CVE-2025-58846

cve-icon Vulnrichment

Updated: 2025-09-05T15:16:55.851Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:58.507

Modified: 2026-04-23T15:33:44.890

Link: CVE-2025-58846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:30:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)