Description
The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-04
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Patch Plugin
AI Analysis

Impact

The yContributors WordPress plugin has a CSRF flaw that allows an unauthenticated attacker to submit forged requests to the plugin’s settings page. Because the page lacks proper nonce validation, the attacker can modify configuration values and inject arbitrary JavaScript that is persisted in the database. When any site visitor loads the affected page, the malicious script runs, giving the attacker the ability to deface content, hijack user sessions, or exfiltrate data. The weakness is an example of CWE‑352, a Cross‑Site Request Forgery that leads to Stored Cross‑Site Scripting.

Affected Systems

The vulnerability affects the “yContributors” plugin authored by yonisink, any WordPress installation that has version 0.5 or earlier of the plugin installed. No specific sub‑versions are listed beyond the 0.5 cutoff. Administrators running those old releases are at risk.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is below 1%, suggesting that exploitation is currently rare and likely requires a targeted attack where an administrator is tricked into clicking a malicious link. The vulnerability is not listed in CISA’s KEV catalog. An attacker would load a crafted URL or button on an external site that, when a logged‑in administrator visits, sends the forged request to the WordPress admin interface. Successful exploitation results in a stored XSS payload being delivered to end users.

Generated by OpenCVE AI on April 22, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the yContributors plugin to the latest available version (any release newer than 0.5) to eliminate the missing nonce verification.
  • If an upgrade cannot be applied immediately, verify that the plugin’s settings page correctly checks a nonce and restricts form submissions to authenticated administrators only. This restores protection against CSRF.
  • Scan the WordPress database for any unexpected script tags inserted by the plugin and remove them. After cleanup, clear relevant caches so that no malicious payloads remain accessible.
  • As a further precaution, consider disabling or removing the yContributors plugin until a patched version is available, or use a security plugin to block CSRF requests to the plugin’s admin URLs.

Generated by OpenCVE AI on April 22, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19925 The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Description The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title yContributors <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:20.836Z

Reserved: 2025-06-12T20:26:39.948Z

Link: CVE-2025-6041

cve-icon Vulnrichment

Updated: 2025-07-08T14:28:47.100Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T03:15:22.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses