{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6054", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-13T12:38:32.110Z", "datePublished": "2025-07-23T02:24:37.769Z", "dateUpdated": "2026-04-08T16:37:18.951Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:18.951Z"}, "affected": [{"vendor": "stratosg", "product": "YANewsflash", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/171fe5db-0b43-47ba-b215-87ce9d7b5095?source=cve"}, {"url": "https://wordpress.org/plugins/yanewsflash/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-07-22T14:03:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T14:24:57.366980Z", "id": "CVE-2025-6054", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T15:14:30.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6054", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-23T14:24:57.366980Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T14:25:09.485Z"}}], "cna": {"title": "YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Johannes Skamletz"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "stratosg", "product": "YANewsflash", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-22T14:03:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/171fe5db-0b43-47ba-b215-87ce9d7b5095?source=cve"}, {"url": "https://wordpress.org/plugins/yanewsflash/"}], "descriptions": [{"lang": "en", "value": "The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-23T02:24:37.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6054", "state": "PUBLISHED", "dateUpdated": "2025-07-23T15:14:30.683Z", "dateReserved": "2025-06-13T12:38:32.110Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-23T02:24:37.769Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento YANewsflash para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.0.3 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la p\u00e1gina 'yanewsflash/yanewsflash.php'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-6054", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-23T03:15:24.800", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/yanewsflash/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/171fe5db-0b43-47ba-b215-87ce9d7b5095?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:36:38.766755+00:00", "value": {"mitigation_remediation": ["Upgrade YANewsflash to version 1.0.4 or later, where nonce validation is correctly enforced.", "If a newer version is unavailable, uninstall or disable the YANewsflash plugin to eliminate the attack surface.", "As a temporary measure, block or restrict POST requests to yanewsflash/yanewsflash.php that lack a valid nonce, or use a security plugin to enforce additional CSRF checks on the plugin\u2019s administrative pages."], "summary": {"action": "Patch", "impact": "Stored XSS via CSRF"}, "threat_synthesis": {"affected_systems": "The affected product is the YANewsflash plugin from vendor stratosg. All releases with version numbers 1.0.3 or earlier are vulnerable. Administrators using any WordPress installation that has this plugin installed and enabled should verify the current version and update if necessary.", "description_and_impact": "The YANewsflash WordPress plugin is vulnerable in all releases up to 1.0.3 because the yanewsflash.php handler does not validate the nonce correctly or at all. This oversight allows an unauthenticated actor to forge a request that the site administrator is tricked into submitting, updating plugin settings and injecting arbitrary scripts into the stored configuration. The injected scripts are then served to anyone who visits the site, creating a stored cross\u2011site scripting condition that can be leveraged for defacement, credential theft or drive\u2011by downloads.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates moderate severity, and the EPSS score of less than 1\u202f% points to a very low probability of exploitation at the time of this analysis. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires the target administrator to click a malicious link or submit a forged form, so an attacker can only gain effect after luring a privileged user to perform an action. Although the likelihood is low, an active attacker could still trigger the stored XSS for any site visitor, potentially compromising user sessions and enabling further attacks."}}}}, "created": "2025-07-23T17:35:53.355202+00:00", "updated": "2026-04-22T14:45:19.281427+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}