{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6055", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-13T12:43:45.482Z", "datePublished": "2025-06-14T08:23:24.260Z", "dateUpdated": "2026-04-08T16:45:35.378Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:35.378Z"}, "affected": [{"vendor": "bogdanding", "product": "Zen Sticky Social", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cfebae-bbf3-4b0b-9afc-3ef2548045e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zen-social-sticky/trunk/zen-sticky-social.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-06-13T19:44:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:46:01.459266Z", "id": "CVE-2025-6055", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:39:21.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6055", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T16:46:01.459266Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T16:47:15.628Z"}}], "cna": {"title": "Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bogdanding", "product": "Zen Sticky Social", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-13T19:44:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cfebae-bbf3-4b0b-9afc-3ef2548045e7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/zen-social-sticky/trunk/zen-sticky-social.php"}], "descriptions": [{"lang": "en", "value": "The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:35.378Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6055", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:35.378Z", "dateReserved": "2025-06-13T12:43:45.482Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-14T08:23:24.260Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Zen Sticky Social para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 0.3 incluida. Esto se debe a la falta o a una validaci\u00f3n de nonce incorrecta en la p\u00e1gina 'zen-social-sticky/zen-sticky-social.php'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-6055", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:24.050", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/zen-social-sticky/trunk/zen-sticky-social.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33cfebae-bbf3-4b0b-9afc-3ef2548045e7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:15:13.101007+00:00", "value": {"mitigation_remediation": ["Upgrade the Zen Sticky Social plugin to the latest released version (at least 0.4) which restores proper nonce verification.", "If an upgrade cannot be applied immediately, disable or remove the plugin from the WordPress installation to eliminate the attack surface.", "Implement a site\u2011wide security measure such as a WordPress security plugin that blocks unauthenticated requests to admin endpoints or enforces nonce checks on all plugin actions."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the Zen Sticky Social plugin by bogdanding, up to and including version 0.3, running on WordPress sites.", "description_and_impact": "The Zen Sticky Social plugin for WordPress suffers from a Cross\u2011Site Request Forgery flaw caused by missing or incorrect nonce validation on a plugin page. Unauthenticated attackers can craft a forged request that, when executed by a site administrator, modifies the plugin settings and injects malicious scripts into the site. These scripts are stored and executed whenever site content is rendered, giving attackers the ability to run arbitrary JavaScript in the context of visitors or administrators, potentially leading to data theft, defacement or credential compromise.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.1 and an EPSS score of less than 1\u202f%, indicating a moderate severity but a very low probability of active exploitation. It is not listed in CISA\u2019s KEV catalog. Attackers would need to lure an administrator to trigger the forged request, typically via a malicious link or email. Once the request is processed, stored XSS payloads are injected, providing long\u2011term access to the site\u2019s front\u2011end and potentially the admin interface if the payload is crafted accordingly."}}}}, "created": "2026-04-21T20:15:44.581827+00:00", "updated": "2026-04-21T20:15:44.581838+00:00", "vendors": []}