{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7684", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-15T18:48:20.341Z", "datePublished": "2025-08-16T03:38:48.319Z", "dateUpdated": "2026-04-08T16:47:19.806Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:19.806Z"}, "affected": [{"vendor": "remysharp", "product": "Last.fm Recent Album Artwork", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf6671d-f481-4fe5-b966-2591ab76b0b5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lastfm-recent-album-artwork/trunk/lastfm_albums_artwork.php"}, {"url": "https://wordpress.org/plugins/lastfm-recent-album-artwork/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-08-15T14:46:26.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T13:38:08.997278Z", "id": "CVE-2025-7684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T19:00:41.831Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7684", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T13:38:08.997278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:38:12.657Z"}}], "cna": {"title": "Last.fm Recent Album Artwork <= 1.0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "remysharp", "product": "Last.fm Recent Album Artwork", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T14:46:26.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf6671d-f481-4fe5-b966-2591ab76b0b5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/lastfm-recent-album-artwork/trunk/lastfm_albums_artwork.php"}, {"url": "https://wordpress.org/plugins/lastfm-recent-album-artwork/"}], "descriptions": [{"lang": "en", "value": "The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:19.806Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7684", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:19.806Z", "dateReserved": "2025-07-15T18:48:20.341Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T03:38:48.319Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Last.fm Recent Album Artwork para WordPress es vulnerable a cross-site request forgery en todas las versiones hasta la 1.0.2 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la p\u00e1gina \"lastfm_albums_artwork.php\". Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-7684", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T04:16:08.437", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/lastfm-recent-album-artwork/trunk/lastfm_albums_artwork.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/lastfm-recent-album-artwork/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bf6671d-f481-4fe5-b966-2591ab76b0b5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:22:00.129807+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest released version of the Last.fm Recent Album Artwork plugin (currently 1.0.3 or later) which corrects the nonce validation flaw.", "Disable the plugin until the update is applied to prevent any further misuse of the vulnerable endpoint.", "Inspect the plugin\u2019s settings for injected scripts, remove any malicious content, and reset the configuration to default values to eliminate stored XSS payloads."], "summary": {"action": "Apply Update", "impact": "Stored Cross\u2011Site Scripting via Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of the remysharp:Last.fm Recent Album Artwork plugin, versions 1.0.2 and earlier, running on WordPress websites. The vulnerability is present regardless of the overall WordPress core version, as it resides in the plugin\u2019s PHP script accessed by site administrators.", "description_and_impact": "The Last.fm Recent Album Artwork plugin for WordPress contains a missing or incorrect nonce check on its settings page, allowing an attacker to forge a request that updates the plugin\u2019s configuration. By exploiting this vulnerability, a malicious actor can inject arbitrary JavaScript that will be stored in the site\u2019s settings and executed in the browsers of any user who views the affected page. The impact is the compromise of confidentiality and integrity of site data and the potential to hijack administrator sessions, deface the site, or exfiltrate sensitive information through client\u2011side scripts.", "risk_and_exploitability": "The CVSS score of 6.1 categorizes the issue as a moderate severity flaw. The EPSS score of less than 1\u202f% indicates a very low current probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only that an administrator click a crafted link or form, making social engineering a viable vector. Once executed, the stored XSS can affect all users of the site, elevating the risk in environments with sensitive or privileged users. The lack of immediate automatic exploitation mechanisms means the attacker must first persuade a target administrator to perform the forged request."}}}}, "created": "2026-04-21T19:30:06.084227+00:00", "updated": "2026-04-21T19:30:06.084238+00:00", "vendors": []}