Description
The Like & Share My Site plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the 'lsms_admin' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-07-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via CSRF
Action: Disable Plugin
AI Analysis

Impact

The Like & Share My Site plugin for WordPress is vulnerable to a cross‑site request forgery that allows an unauthenticated attacker to submit a forged request to the plugin’s admin page. Because the nonce validation is missing or incorrect, the attacker can change the plugin’s settings and inject malicious JavaScript. When site visitors load the affected page, the injected script runs in their browsers, producing a stored cross‑site scripting event that can be used to steal credentials, deface content, or redirect users to malicious sites.

Affected Systems

All installations of the Like & Share My Site plugin running any version up to and including 0.2 are affected. Site owners should identify whether their current installation is in this range and plan a remediation or removal accordingly. Versions released after 0.2 are not mentioned in the CVE data, so the presence of a fix in later releases is uncertain.

Risk and Exploitability

The CVSS score of 6.1 classifies the vulnerability as medium severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. An attacker would need to entice a site administrator to click a crafted link or otherwise trigger the forged request. Once the script is persisted, any visitor to the affected page could be compromised.

Generated by OpenCVE AI on April 22, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or delete the Like & Share My Site plugin from the WordPress installation to eliminate the vulnerable code.
  • If the plugin is required for site functionality, obtain the latest available version from the vendor or the WordPress plugin repository and install it as soon as a fix is made available.
  • Implement administrative safeguards such as proper nonce validation for future plugin development and limit administrator privileges to a minimum necessary set of users to reduce the chance of accidental submission of forged requests.

Generated by OpenCVE AI on April 22, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22301 The Like & Share My Site plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the 'lsms_admin' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 23 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 22 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Like & Share My Site plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the 'lsms_admin' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Like & Share My Site <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:17.299Z

Reserved: 2025-07-15T18:51:34.532Z

Link: CVE-2025-7685

cve-icon Vulnrichment

Updated: 2025-07-22T20:02:40.921Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T10:15:26.047

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses