Platform
wordpress
Component
create-posts-terms
Fixed in
1.3.2
CVE-2025-49351 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Create Posts & Terms WordPress plugin. This flaw allows an attacker to execute Stored XSS attacks, potentially leading to account compromise and malicious code injection. The vulnerability affects versions from 0.0.0 up to and including 1.3.1. A patch is expected to be released by the plugin developer.
The CSRF vulnerability in Create Posts & Terms allows an attacker to trick a legitimate user into performing unintended actions on the WordPress site. Because this vulnerability leads to Stored XSS, the attacker can inject malicious scripts that are stored on the server and executed when other users visit affected pages. This could result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive user data. The blast radius extends to all users who interact with the plugin, particularly those with administrative privileges.
CVE-2025-49351 was publicly disclosed on 2025-12-09. There are currently no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories from WordPress and the plugin developer for updates and further information.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49351 is to upgrade to a patched version of the Create Posts & Terms plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Input validation on all user-supplied data within the plugin is crucial to prevent XSS. Implementing CSRF tokens on all sensitive actions within the plugin will significantly reduce the risk of unauthorized requests. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide an additional layer of protection.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49351 is a Cross-Site Request Forgery (CSRF) vulnerability in the Create Posts & Terms WordPress plugin, allowing for Stored XSS attacks.
You are affected if your WordPress site uses the Create Posts & Terms plugin in versions 0.0.0 through 1.3.1.
Upgrade to the latest version of the Create Posts & Terms plugin as soon as a patch is released. Implement input validation and CSRF tokens as temporary mitigations.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the plugin developer's website and WordPress.org plugin page for updates and advisories related to CVE-2025-49351.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.