WWordPress Vulnerability Database

WordPress Lastfm Album Artwork CSRF Stored XSS(CVE20257684)

0
Shares
0
0
0
0
Plugin Name Last.fm Recent Album Artwork
Type of Vulnerability CSRF and XSS
CVE Number CVE-2025-7684
Urgency Low
CVE Publish Date 2025-08-15
Source URL CVE-2025-7684

Urgent: Last.fm Recent Album Artwork (≤ 1.0.2) — CSRF leading to Stored XSS (CVE-2025-7684)

Published: 15 August 2025

Author: Hong Kong Security Expert

This post explains the recently disclosed vulnerability in the Last.fm Recent Album Artwork WordPress plugin (versions ≤ 1.0.2), tracked as CVE-2025-7684. The finding is a Cross-Site Request Forgery (CSRF) that can be used to store Cross-Site Scripting (stored XSS) payloads. Below I describe what the vulnerability is, realistic exploitation scenarios, how to check whether your site is affected, immediate mitigations you can apply safely, and longer‑term hardening guidance. Advice is pragmatic and written for site owners and administrators in a straightforward Hong Kong security practitioner tone.

Table of contents

  • What happened (high-level)
  • Why this is concerning (risk summary)
  • Technical summary (what the vulnerability is)
  • Exploitation scenarios (realistic use-cases)
  • How to check if you’re affected
  • Immediate mitigation steps (recommended, non-destructive)
  • Removal, patch and long-term recommendations
  • Virtual patching and generic WAF rule concepts
  • Monitoring, detection, and incident response plan
  • Hardening advice to reduce future risk
  • Practical developer checklist
  • Frequently asked questions

What happened (high-level)

A vulnerability was disclosed in the Last.fm Recent Album Artwork plugin for WordPress (v ≤ 1.0.2). The root cause is a CSRF issue that allows an attacker to cause an authenticated user (often an admin or editor) to submit state‑changing requests the user did not intend. The plugin stores input that is not properly sanitized, which enables stored XSS when the data is later rendered. Stored XSS executed in an administrator’s browser can lead to session theft, privilege escalation, content injection, and persistence mechanisms such as backdoor installations.

Although exploitation requires tricking a logged‑in user or relying on particular site configurations, the combination of CSRF → stored XSS is impactful and should be treated seriously by site owners.

Why this is concerning (risk summary)

  • Severity: CVSS and public reporting indicate notable impact (published score around 7.1), due to the potential to escalate from a forced action into persistent XSS.
  • Attack vector: CSRF is used to inject persistent content which executes later when viewed by privileged users.
  • Privilege implications: If executed in an administrator’s session, attackers can perform admin‑level actions using the admin’s session.
  • Detection risk: Stored XSS can persist undetected and be used for targeted credential theft or deployment of further tools.
  • Fix status at disclosure: No official patched plugin version was available at the time of disclosure, increasing the need for immediate containment.

Action is required: check for the plugin, inspect for indicators of compromise, and apply mitigations now.

Technical summary (what the vulnerability is)

Technically, this is a CSRF vulnerability combined with inadequate output sanitization:

  • CSRF: The plugin exposes an endpoint or admin action that accepts input and lacks proper nonce verification and capability checks.
  • Stored XSS: Attacker-controlled input is stored and later output without proper escaping, enabling script execution in viewers’ browsers.
  • Attack chain: An attacker induces an authenticated admin/editor to submit a crafted request (CSRF). The stored payload later executes when an admin/editor views a page or admin section.

Because the chain requires an authenticated session to succeed, protecting admin sessions and blocking unauthenticated requests that can write content is a priority.

Exploitation scenarios — realistic examples

  1. Targeted admin compromise

    An attacker crafts a malicious page (email, forum post) containing a form or script that submits a request to the vulnerable endpoint. An administrator who is still logged in to wp-admin visits that page and unknowingly triggers the CSRF; the payload is stored and later executed to steal the admin session or perform actions as the admin.

  2. Automated mass exploitation

    Automated scanners locate sites with the vulnerable plugin. Scripts attempt CSRF submissions en masse; if a logged‑in admin visits an attacker page, a stored payload can be created.

  3. Content poisoning and defacement

    Stored XSS can be used to inject front‑end scripts (drive‑by miners, SEO spam, phishing), harming reputation and search rankings.

  4. Supply‑chain pivoting

    After obtaining admin access via stored XSS, attackers can install backdoors, create privileged accounts, or modify themes and plugins to maintain persistence.

How to check if you’re affected

Follow these steps to discover whether your site has the vulnerable plugin and if compromise indicators exist.

  1. Identify plugin installation

    WordPress Admin → Plugins → Installed Plugins — look for “Last.fm Recent Album Artwork”. If version is 1.0.2 or earlier, consider it vulnerable.

  2. Check for suspicious changes (admins only)

    Review recent posts, plugin settings and custom tables for unexpected HTML or JavaScript. Search the database (e.g., wp_options, custom plugin tables) for