Platform
wordpress
Component
sensitive-tag-cloud
Fixed in
1.4.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the SensitiveTagCloud WordPress plugin. This flaw allows attackers to trigger Stored XSS attacks, potentially leading to unauthorized code execution and data theft. The vulnerability affects versions from 0.0.0 through 1.4.1. A fix is available, and users are strongly advised to upgrade immediately.
The CSRF vulnerability in SensitiveTagCloud allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability can lead to Stored Cross-Site Scripting (XSS). Stored XSS allows attackers to inject malicious scripts into the website’s database, which are then executed whenever other users visit affected pages. This could result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data, including credentials. The impact is heightened because the XSS is stored, meaning it persists until the content is manually cleaned or the plugin is updated.
This vulnerability was publicly disclosed on 2025-12-31. No public proof-of-concept (POC) code has been released at the time of writing, but the nature of CSRF and Stored XSS vulnerabilities makes exploitation relatively straightforward. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog, but its potential for widespread exploitation warrants monitoring.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49344 is to upgrade the SensitiveTagCloud plugin to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing strict Content Security Policy (CSP) headers to limit the execution of inline scripts. Additionally, implement server-side CSRF protection mechanisms to validate the authenticity of requests. Regularly review user input and sanitize any data stored in the database to prevent XSS injection. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a sensitive function within the plugin and verifying that the request is rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49344 is a Cross-Site Request Forgery (CSRF) vulnerability in the SensitiveTagCloud WordPress plugin, allowing for Stored XSS attacks. It affects versions 0.0.0 through 1.4.1.
If you are using the SensitiveTagCloud plugin in WordPress versions 0.0.0 to 1.4.1, you are potentially affected by this vulnerability.
Upgrade the SensitiveTagCloud plugin to the latest available version, which includes the security fix. Consider implementing CSP headers and server-side CSRF protection as interim measures.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely to be targeted, and proactive mitigation is recommended.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.