{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4189", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T13:00:30.855Z", "datePublished": "2025-05-17T03:24:49.951Z", "dateUpdated": "2026-04-08T17:05:32.590Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:32.590Z"}, "affected": [{"vendor": "naicuoctavian", "product": "Audio Comments Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Audio Comments Plugin <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89b12c36-e115-4f67-86e6-647dfc9fd25b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/audio-comments/trunk/audior-settings.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-05-16T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-19T15:39:29.243274Z", "id": "CVE-2025-4189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:39:36.478Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-19T15:39:29.243274Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-19T15:39:33.217Z"}}], "cna": {"title": "Audio Comments Plugin <= 1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "naicuoctavian", "product": "Audio Comments Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-16T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89b12c36-e115-4f67-86e6-647dfc9fd25b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/audio-comments/trunk/audior-settings.php"}], "descriptions": [{"lang": "en", "value": "The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:32.590Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4189", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:32.590Z", "dateReserved": "2025-05-01T13:00:30.855Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-17T03:24:49.951Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Audio Comments Plugin para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.0.4 incluida. Esto se debe a la falta o a una validaci\u00f3n incorrecta de nonce en la p\u00e1gina 'audio-comments/audior-settings.php'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-4189", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-17T04:16:19.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/audio-comments/trunk/audior-settings.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89b12c36-e115-4f67-86e6-647dfc9fd25b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:46:51.437421+00:00", "value": {"mitigation_remediation": ["Upgrade Audio Comments Plugin to a version that implements proper nonce validation or remove the plugin if no patch is available", "If no update exists, limit access to the plugin\u2019s settings page so that only legitimate administrators can make changes and disable the ability to modify settings via non\u2011authenticated requests", "Deploy a web application firewall rule that blocks requests to /audio-comments/audior-settings.php lacking a valid nonce or containing suspicious script payloads"], "summary": {"action": "Upgrade Plugin", "impact": "Stored cross\u2011site scripting via CSRF"}, "threat_synthesis": {"affected_systems": "Vendors: naicuoctavian. Product: Audio Comments Plugin. All releases version 1.0.4 and earlier are affected; the vulnerability is present in every build up to and including 1.0.4.", "description_and_impact": "The Audio Comments Plugin for WordPress is vulnerable to Cross\u2011Site Request Forgery in all versions up to 1.0.4. Missing or incorrect nonce validation on the settings page allows an unauthenticated attacker to perform a forged request that updates plugin settings and injects malicious web scripts. The injected scripts are stored and executed in the context of the site, potentially compromising confidentiality, integrity, or availability for visitors who view the page.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, and the EPSS score of < 1% shows a low but nonzero likelihood of exploitation in the near term. The vulnerability is not currently listed in CISA KEV. Exploitation requires an attacker to trick a site administrator into accessing the settings page, most likely by enticing them to click a crafted link or form. Once the forged request succeeds, the attacker can store arbitrary script payloads that will run on subsequent page loads, enabling defacement, credential theft, or further malware distribution."}}}}, "created": "2026-04-21T21:00:35.996714+00:00", "updated": "2026-04-21T21:00:35.996725+00:00", "vendors": []}