Plattform
wordpress
Komponente
create-posts-terms
Behoben in
1.3.2
CVE-2025-49351 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Create Posts & Terms WordPress plugin. This flaw allows an attacker to execute Stored XSS attacks, potentially leading to account compromise and malicious code injection. The vulnerability affects versions from 0.0.0 up to and including 1.3.1. A patch is expected to be released by the plugin developer.
The CSRF vulnerability in Create Posts & Terms allows an attacker to trick a legitimate user into performing unintended actions on the WordPress site. Because this vulnerability leads to Stored XSS, the attacker can inject malicious scripts that are stored on the server and executed when other users visit affected pages. This could result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. The blast radius extends to all users who interact with the plugin, particularly those with administrative privileges.
CVE-2025-49351 was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories from WordPress and the plugin developer for updates and further information.
Websites using the Create Posts & Terms plugin, particularly those with user roles that have the ability to create or modify posts and terms, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'create_posts_terms' /var/www/html/wp-content/plugins/
wp plugin list | grep create_posts_terms• generic web:
curl -I https://example.com/wp-content/plugins/create-posts-terms/ | grep -i 'create-posts-terms'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49351 is to upgrade to a patched version of the Create Posts & Terms plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Input validation on all user-supplied data within the plugin is crucial to prevent XSS. Implementing CSRF tokens on all sensitive actions within the plugin will significantly reduce the risk of unauthorized requests. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49351 is a Cross-Site Request Forgery (CSRF) vulnerability in the Create Posts & Terms WordPress plugin, allowing for Stored XSS attacks.
You are affected if your WordPress site uses the Create Posts & Terms plugin in versions 0.0.0 through 1.3.1.
Upgrade to the latest version of the Create Posts & Terms plugin as soon as a patch is released. Implement input validation and CSRF tokens as temporary mitigations.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the plugin developer's website and WordPress.org plugin page for updates and advisories related to CVE-2025-49351.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.