WordPress Plugin Vulnerabilities

Lewe ChordPress <= 4.0.1 - Stored XSS via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
chordpress
No known fix

References

CVE
CVE-2025-52789
URL
https://patchstack.com/database/wordpress/plugin/chordpress/vulnerability/wordpress-lewe-chordpress-plugin-3-9-6-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
6f9311db-6f12-4255-9634-2ba679dc2505

Timeline

Publicly Published
2025-06-19 (about 9 months ago)
Added
2025-06-25 (about 9 months ago)
Last Updated
2025-10-15 (about 5 months ago)

Other

Published
Title
Published
2024-12-11
Title
Sogrid < 1.5.5 - Cross-Site Request Forgery to Arbitrary Options Update
Published
2023-10-16
Title
Snap Pixel < 1.6.0 - Arbitrary Settings Update via CSRF
Published
2024-01-09
Title
Community by PeepSo < 6.3.1.2 - User Post Creation via CSRF
Published
2024-04-12
Title
SEO Booster < 3.8.10 - Cross-Site Request Forgery
Published
2024-10-03
Title
Ultimate Member < 2.8.7 - Cross-Site Request Forgery to Membership Status Change