Description
The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-26
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Apply Patch
AI Analysis

Impact

The ValvePress WordPress Automatic Plugin fails to validate nonces on a key function, which allows an attacker who can influence a site administrator to submit a forged request that modifies campaign settings. By exploiting this missing or incorrect nonce check, the attacker can inject malicious JavaScript that is saved in the database and executed whenever any visitor loads the affected page, resulting in a stored Cross‑Site Scripting vulnerability. This flaw is classified as CWE‑80.

Affected Systems

All versions of the ValvePress WordPress Automatic Plugin up to and including 3.118.0 are impacted. The vulnerability applies to every WordPress site that installs any release of the plugin within that version range, regardless of additional configuration.

Risk and Exploitability

The CVSS score of 4.7 points to moderate severity, while the EPSS score of less than 1% reflects an unlikely exploitation scenario. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to persuade an administrative user to click a crafted link or submit a forged form, but no administrative credentials are needed beforehand. Because the vulnerability allows the injection of persistent malicious content, the potential consequences include credential theft, defacement, or other attacks performed under the site owner’s authority, making remediation advisable despite the low expected exploitation likelihood.

Generated by OpenCVE AI on April 22, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ValvePress WordPress Automatic Plugin to a version newer than 3.118.0.
  • If an update cannot be applied immediately, temporarily disable the plugin or block the vulnerable functionality to prevent forged requests from reaching the application.
  • Deploy a Web Application Firewall or use a security plugin that can filter out CSRF requests and monitor for script injections, and review server logs for unusual activity.

Generated by OpenCVE AI on April 22, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25809 The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 27 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Valvepress
Valvepress wordpress Automatic Plugin
Wordpress
Wordpress wordpress
Vendors & Products Valvepress
Valvepress wordpress Automatic Plugin
Wordpress
Wordpress wordpress

Tue, 26 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 Aug 2025 09:15:00 +0000

Type Values Removed Values Added
Description The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.118.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Valvepress Wordpress Automatic Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:07.816Z

Reserved: 2025-06-18T18:12:24.172Z

Link: CVE-2025-6247

cve-icon Vulnrichment

Updated: 2025-08-26T15:38:45.456Z

cve-icon NVD

Status : Deferred

Published: 2025-08-26T09:15:30.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses