WordPress Plugin Vulnerabilities

On Page SEO + Whatsapp Chat Button < 2.0.1 - Stored XSS via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
ops-robots-txt
Fixed in 2.0.1

References

CVE
CVE-2025-25138
URL
https://patchstack.com/database/wordpress/plugin/ops-robots-txt/vulnerability/wordpress-on-page-seo-social-live-chat-formerly-ops-plugin-2-0-0-csrf-to-stored-xss-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
13bf417b-0e33-4545-a417-8ba540c1bd97

Timeline

Publicly Published
2025-02-03 (about 1 year ago)
Added
2025-02-12 (about 1 year ago)
Last Updated
2025-03-17 (about 11 months ago)

Other

Published
Title
Published
2025-11-03
Title
Social Media WPCF7 Stop Words <= 1.1.3 - Cross-Site Request Forgery to Settings Update
Published
2025-10-15
Title
Reloadly <= 2.0.1 - Cross-Site Request Forgery
Published
2022-11-14
Title
Becustom < 1.0.5.3 - Settings Update via CSRF
Published
2025-06-05
Title
Custom Bulk/Quick Edit <= 1.6.10 - Cross-Site Request Forgery
Published
2022-06-17
Title
Popup Builder < 4.1.1 - Popup Status Change via CSRF