Plattform
wordpress
Komponente
sensitive-tag-cloud
Behoben in
1.4.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the SensitiveTagCloud WordPress plugin. This flaw allows attackers to trigger Stored XSS attacks, potentially leading to unauthorized code execution and data theft. The vulnerability affects versions from 0.0.0 through 1.4.1. A fix is available, and users are strongly advised to upgrade immediately.
The CSRF vulnerability in SensitiveTagCloud allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability can lead to Stored Cross-Site Scripting (XSS). Stored XSS allows attackers to inject malicious scripts into the website’s database, which are then executed whenever other users visit affected pages. This could result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data, including credentials. The impact is heightened because the XSS is stored, meaning it persists until the content is manually cleaned or the plugin is updated.
This vulnerability was publicly disclosed on 2025-12-31. No public proof-of-concept (POC) code has been released at the time of writing, but the nature of CSRF and Stored XSS vulnerabilities makes exploitation relatively straightforward. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog, but its potential for widespread exploitation warrants monitoring.
Websites using the SensitiveTagCloud plugin, particularly those with user-generated content or forms, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'sensitive-tag-cloud/sensitive-tag-cloud' /var/www/html/
wp plugin list | grep sensitive-tag-cloud• generic web:
curl -I https://example.com/ | grep -i 'sensitive-tag-cloud'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49344 is to upgrade the SensitiveTagCloud plugin to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing strict Content Security Policy (CSP) headers to limit the execution of inline scripts. Additionally, implement server-side CSRF protection mechanisms to validate the authenticity of requests. Regularly review user input and sanitize any data stored in the database to prevent XSS injection. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a sensitive function within the plugin and verifying that the request is rejected.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und einen Ersatz zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49344 is a Cross-Site Request Forgery (CSRF) vulnerability in the SensitiveTagCloud WordPress plugin, allowing for Stored XSS attacks. It affects versions 0.0.0 through 1.4.1.
If you are using the SensitiveTagCloud plugin in WordPress versions 0.0.0 to 1.4.1, you are potentially affected by this vulnerability.
Upgrade the SensitiveTagCloud plugin to the latest available version, which includes the security fix. Consider implementing CSP headers and server-side CSRF protection as interim measures.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely to be targeted, and proactive mitigation is recommended.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.