{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3867", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-22T14:47:52.051Z", "datePublished": "2025-04-25T06:45:27.801Z", "dateUpdated": "2026-04-08T16:43:25.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:25.856Z"}, "affected": [{"vendor": "rafe007", "product": "Ajax Comment Form CST", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a001b31-042d-451b-ad9e-df8d41d3c2b0?source=cve"}, {"url": "https://wordpress.org/plugins/ajax-comment-form-cst/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-04-24T18:32:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T15:43:28.376791Z", "id": "CVE-2025-3867", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T16:02:10.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3867", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T15:43:28.376791Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T15:43:29.956Z"}}], "cna": {"title": "Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "rafe007", "product": "Ajax Comment Form CST", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-24T18:32:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a001b31-042d-451b-ad9e-df8d41d3c2b0?source=cve"}, {"url": "https://wordpress.org/plugins/ajax-comment-form-cst/"}], "descriptions": [{"lang": "en", "value": "The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:43:25.856Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3867", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:43:25.856Z", "dateReserved": "2025-04-22T14:47:52.051Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-25T06:45:27.801Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Ajax Comment Form CST para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.2 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta del nonce en la p\u00e1gina 'acform_cst_settings'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-3867", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-25T07:15:48.320", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ajax-comment-form-cst/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a001b31-042d-451b-ad9e-df8d41d3c2b0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:28:20.653208+00:00", "value": {"mitigation_remediation": ["Update the Ajax Comment Form CST plugin to version 1.3 or later, which restores correct nonce validation.", "If an update is not possible, remove or disable the plugin entirely to prevent the CSRF vector and stored XSS injection.", "As a temporary workaround, restrict access to the plugin\u2019s settings page using server\u2011side access controls or a firewall rule that blocks unauthenticated POST requests to /wp-admin/admin-ajax.php for the relevant action handlers."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are WordPress sites using the rafe007 Ajax Comment Form CST plugin, versions 1.2 and earlier. No specific version numbers beyond the \u22641.2 limit are listed.", "description_and_impact": "The Ajax Comment Form CST plugin contains a CSRF flaw on the settings page, allowing an unauthenticated attacker to send a forged request that updates plugin settings with malicious JavaScript. The injected script is stored on the site and delivered to logged\u2011in users, enabling stored XSS attacks that can hijack sessions, deface content, or deliver malware. The vulnerability stems from missing or incorrect nonce validation, which is a classic input validation weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. An EPSS score of less than 1% suggests low likelihood of exploitation, and the vulnerability has not been listed in CISA\u2019s KEV catalog. Attackers require only a link or image that an administrator will unknowingly click, making it a practical CSRF attack but limited to sites with the vulnerable plugin and an active admin user."}}}}, "created": "2025-07-12T15:42:36.633790+00:00", "updated": "2026-04-22T17:30:22.637664+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}