Description
Cross-Site Request Forgery (CSRF) vulnerability in Eduard Pinuaga Linares Did Prestashop Display did-prestashop-display allows Stored XSS.This issue affects Did Prestashop Display: from n/a through <= 1.0.30.
Published: 2025-10-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in the Did Prestashop Display WordPress plugin enables an attacker to force an authenticated user to submit a malicious request that stores user‑input in the database. The stored data is later rendered without proper sanitization, creating a stored cross‑site scripting condition that can execute arbitrary JavaScript in the victim’s browser. The weakness is classified as CWE‑352.

Affected Systems

The vulnerability affects all installations of the Did Prestashop Display plugin version 1.0.30 and earlier. Users deploying the plugin on any WordPress site are at risk, regardless of the site’s domain.

Risk and Exploitability

The CVSS score is 7.1, indicating a moderate‑to‑high severity. The EPSS score is below 1 %, so observed exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a CSRF request triggered by a malicious link or form that an attacker can get an authenticated user to click, enabling the attacker to inject persistent script data. Given the moderate severity and low exploit probability, the attack risk is moderate but should still be addressed promptly, especially for sites that expose the plugin’s endpoints to untrusted users.

Generated by OpenCVE AI on April 29, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Did Prestashop Display to the latest available version (greater than 1.0.30) which removes the CSRF vector and sanitizes stored data
  • If an update cannot be applied immediately, deactivate or uninstall the plugin to halt the attack surface
  • Add a CSRF token validation step to the plugin’s request handling to prevent unauthorized requests

Generated by OpenCVE AI on April 29, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Oct 2025 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Eduard Pinuaga Linares
Eduard Pinuaga Linares did Prestashop Display
Wordpress
Wordpress wordpress
Vendors & Products Eduard Pinuaga Linares
Eduard Pinuaga Linares did Prestashop Display
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Eduard Pinuaga Linares Did Prestashop Display did-prestashop-display allows Stored XSS.This issue affects Did Prestashop Display: from n/a through <= 1.0.30.
Title WordPress Did Prestashop Display plugin <= 1.0.30 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Eduard Pinuaga Linares Did Prestashop Display
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.884Z

Reserved: 2025-10-24T14:24:48.654Z

Link: CVE-2025-62945

cve-icon Vulnrichment

Updated: 2025-10-27T15:11:08.343Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:54.680

Modified: 2026-04-27T17:16:36.980

Link: CVE-2025-62945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses