{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4198", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T13:15:37.831Z", "datePublished": "2025-05-03T01:43:06.514Z", "dateUpdated": "2026-04-08T17:21:33.444Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:33.444Z"}, "affected": [{"vendor": "todoapuestas", "product": "Alink Tap", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Alink Tap <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c856e06d-34f7-42e9-a72c-3d4e9207e07e?source=cve"}, {"url": "https://wordpress.org/plugins/alink-tap/"}, {"url": "https://plugins.trac.wordpress.org/browser/alink-tap/trunk/admin/views/admin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-05-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-05T14:40:40.943767Z", "id": "CVE-2025-4198", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T14:58:02.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4198", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-05T14:40:40.943767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-05T14:40:42.442Z"}}], "cna": {"title": "Alink Tap <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "todoapuestas", "product": "Alink Tap", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c856e06d-34f7-42e9-a72c-3d4e9207e07e?source=cve"}, {"url": "https://wordpress.org/plugins/alink-tap/"}, {"url": "https://plugins.trac.wordpress.org/browser/alink-tap/trunk/admin/views/admin.php"}], "descriptions": [{"lang": "en", "value": "The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:33.444Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4198", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:33.444Z", "dateReserved": "2025-05-01T13:15:37.831Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-03T01:43:06.514Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Alink Tap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the 'alink-tap' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Alink Tap para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.3.1 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la p\u00e1gina \"alink-tap\". Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-4198", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-03T03:15:28.923", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/alink-tap/trunk/admin/views/admin.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/alink-tap/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c856e06d-34f7-42e9-a72c-3d4e9207e07e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:59:53.524845+00:00", "value": {"mitigation_remediation": ["Upgrade Alink Tap to the latest available version or apply the vendor\u2019s patch to implement proper nonce validation on the settings page", "If a patch is not yet published, disable the Alink Tap settings page for non\u2011administrator users to prevent malicious updates", "Apply a site\u2011wide CSRF protection mechanism, such as adding a unique token to all admin forms", "Configure a web application firewall to block requests to the plugin\u2019s admin endpoint that lack a valid CSRF token"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "The plug\u2011in, developed by todoapuestas under the name Alink Tap, is affected in all versions up to and including 1.3.1. WordPress sites that have installed any of those versions are vulnerable. No other systems or plugins are listed as impacted in the advisory.", "description_and_impact": "The Alink Tap WordPress plugin is vulnerable to Cross\u2011Site Request Forgery because nonce validation on its settings page is missing or incorrect. An unauthenticated attacker can submit a forged request to the plugin\u2019s admin page, causing the plugin to update its configuration and inject arbitrary JavaScript code that will run in the context of the site\u2019s visitor or administrator. This stored cross\u2011site scripting flaw is classified as CWE\u2011352 and can lead to credential theft, defacement or the execution of further malicious payloads by unsuspecting site users.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate overall severity. The EPSS score of less than 1% shows that exploit activity is expected to be very low, and the advisory is not currently listed in the CISA KEV catalog. Attackers would need to trick an authenticated site administrator into clicking a crafted link or submitting a forged form; thus the vulnerability requires user interaction to be exploited. While the exploitation probability is low, the potential impact of a successful XSS attack\u2014credential compromise and site defacement\u2014makes this a noteworthy risk for any WordPress site running the vulnerable plug\u2011in."}}}}, "created": "2026-04-20T23:00:14.176751+00:00", "updated": "2026-04-20T23:00:14.176768+00:00", "vendors": []}