WWordPress Vulnerability Database

WordPress User Meta CSRF Exposes Stored XSS(CVE20257688)

WordPress Add User Meta plugin
0
Shares
0
0
0
0
Plugin Name Add User Meta
Type of Vulnerability CSRF and Stored XSS
CVE Number CVE-2025-7688
Urgency Medium
CVE Publish Date 2025-08-15
Source URL CVE-2025-7688

Urgent Security Advisory: Add User Meta plugin (<= 1.0.1) — CSRF → Stored XSS (CVE-2025-7688)

Date: 15 August 2025
Author: Hong Kong Security Expert

Summary

  • Vulnerability: Cross-Site Request Forgery (CSRF) enabling Stored Cross-Site Scripting (XSS)
  • Affected software: Add User Meta WordPress plugin, versions ≤ 1.0.1
  • CVE: CVE-2025-7688
  • Privilege required: Unauthenticated (attacker may exploit from the web)
  • Public fix: None available at time of disclosure
  • Recommendation: Mitigate immediately — remove or disable the plugin, apply virtual patching via your WAF or server firewall, and follow the incident response checklist below.

This advisory describes the technical details, exploitation scenarios, detection and containment processes, code-level fixes for plugin authors, virtual patch rules you can deploy immediately, and longer-term hardening guidance.

What happened (short)

The Add User Meta plugin exposes an endpoint or action that allows adding or updating user metadata without proper CSRF protections and without validating or sanitizing input. There is no effective nonce/CSRF check and user-provided data is stored and output without safe escaping. An attacker can craft requests (or trick an authenticated user into submitting one) that persist script-based payloads into user meta fields. Those payloads later render in pages or admin views where the meta values are echoed, resulting in stored XSS.

Because the issue can be exploited by unauthenticated attackers, the risk is elevated: persistent payloads can affect administrators and site visitors alike.

Why this is serious

Stored XSS is among the most dangerous client-side vulnerabilities on platforms like WordPress:

  • Persistent execution: malicious JavaScript is stored on the server and executes whenever the vulnerable page is viewed.
  • Admin compromise: if an admin views a page or profile where unsafe meta is rendered, attackers can hijack sessions or perform privileged actions.
  • Reputation and SEO damage: injected content can deliver spam, ads, or phishing, harming trust and search visibility.
  • Automated exploitation: public disclosure commonly triggers automated scans and mass exploitation; act immediately.

This issue has an estimated CVSS-like assessment around 7.1 (medium/high). Given unauthenticated, persistent write capability, treat it as actionable.

Technical analysis

Root causes typically seen in this vulnerability class:

  1. Missing CSRF protection (no nonce / no check_admin_referer / wp_verify_nonce).
  2. Allowing unauthenticated or insufficiently authorized requests to write user meta.
  3. Lack of input validation (accepting arbitrary HTML or script payloads).
  4. Unsafe output (echoing meta values without esc_html(), esc_attr(), or wp_kses()).

Typical vulnerable flow:

  • Plugin registers an endpoint (AJAX, REST, or form handler) that accepts user_id, meta_key, meta_value.
  • The endpoint writes directly to wp_usermeta using add_user_meta() / update_user_meta() without verifying origin or sanitizing meta_value.
  • Later, the plugin or other code outputs that meta value in HTML without escaping, allowing