Description
The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Cross‑Site Request Forgery
Action: Apply Update
AI Analysis

Impact

The Last.fm Recent Album Artwork plugin for WordPress contains a missing or incorrect nonce check on its settings page, allowing an attacker to forge a request that updates the plugin’s configuration. By exploiting this vulnerability, a malicious actor can inject arbitrary JavaScript that will be stored in the site’s settings and executed in the browsers of any user who views the affected page. The impact is the compromise of confidentiality and integrity of site data and the potential to hijack administrator sessions, deface the site, or exfiltrate sensitive information through client‑side scripts.

Affected Systems

All installations of the remysharp:Last.fm Recent Album Artwork plugin, versions 1.0.2 and earlier, running on WordPress websites. The vulnerability is present regardless of the overall WordPress core version, as it resides in the plugin’s PHP script accessed by site administrators.

Risk and Exploitability

The CVSS score of 6.1 categorizes the issue as a moderate severity flaw. The EPSS score of less than 1 % indicates a very low current probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only that an administrator click a crafted link or form, making social engineering a viable vector. Once executed, the stored XSS can affect all users of the site, elevating the risk in environments with sensitive or privileged users. The lack of immediate automatic exploitation mechanisms means the attacker must first persuade a target administrator to perform the forged request.

Generated by OpenCVE AI on April 21, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of the Last.fm Recent Album Artwork plugin (currently 1.0.3 or later) which corrects the nonce validation flaw.
  • Disable the plugin until the update is applied to prevent any further misuse of the vulnerable endpoint.
  • Inspect the plugin’s settings for injected scripts, remove any malicious content, and reset the configuration to default values to eliminate stored XSS payloads.

Generated by OpenCVE AI on April 21, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25070 The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 18 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:19.806Z

Reserved: 2025-07-15T18:48:20.341Z

Link: CVE-2025-7684

cve-icon Vulnrichment

Updated: 2025-08-18T13:38:12.657Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T04:16:08.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses