Description
The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via CSRF
Action: Patch
AI Analysis

Impact

The YANewsflash WordPress plugin is vulnerable in all releases up to 1.0.3 because the yanewsflash.php handler does not validate the nonce correctly or at all. This oversight allows an unauthenticated actor to forge a request that the site administrator is tricked into submitting, updating plugin settings and injecting arbitrary scripts into the stored configuration. The injected scripts are then served to anyone who visits the site, creating a stored cross‑site scripting condition that can be leveraged for defacement, credential theft or drive‑by downloads.

Affected Systems

The affected product is the YANewsflash plugin from vendor stratosg. All releases with version numbers 1.0.3 or earlier are vulnerable. Administrators using any WordPress installation that has this plugin installed and enabled should verify the current version and update if necessary.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity, and the EPSS score of less than 1 % points to a very low probability of exploitation at the time of this analysis. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires the target administrator to click a malicious link or submit a forged form, so an attacker can only gain effect after luring a privileged user to perform an action. Although the likelihood is low, an active attacker could still trigger the stored XSS for any site visitor, potentially compromising user sessions and enabling further attacks.

Generated by OpenCVE AI on April 22, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YANewsflash to version 1.0.4 or later, where nonce validation is correctly enforced.
  • If a newer version is unavailable, uninstall or disable the YANewsflash plugin to eliminate the attack surface.
  • As a temporary measure, block or restrict POST requests to yanewsflash/yanewsflash.php that lack a valid nonce, or use a security plugin to enforce additional CSRF checks on the plugin’s administrative pages.

Generated by OpenCVE AI on April 22, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22404 The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 23 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 23 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
Description The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:18.951Z

Reserved: 2025-06-13T12:38:32.110Z

Link: CVE-2025-6054

cve-icon Vulnrichment

Updated: 2025-07-23T14:25:09.485Z

cve-icon NVD

Status : Deferred

Published: 2025-07-23T03:15:24.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses