{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7686", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-15T18:54:22.324Z", "datePublished": "2025-08-16T03:38:53.603Z", "dateUpdated": "2026-04-08T17:35:07.987Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:07.987Z"}, "affected": [{"vendor": "lmyoaoa", "product": "weichuncai(WP\u4f2a\u6625\u83dc)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The weichuncai(WP\u4f2a\u6625\u83dc) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "weichuncai(WP\u4f2a\u6625\u83dc) <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe46ec14-4795-4ac7-afd0-de92ccef877d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weichuncai/trunk/sm-options.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-08-15T14:45:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-18T13:16:31.593225Z", "id": "CVE-2025-7686", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:16:36.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7686", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-18T13:16:31.593225Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-18T13:16:33.740Z"}}], "cna": {"title": "weichuncai(WP\u4f2a\u6625\u83dc) <= 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lmyoaoa", "product": "weichuncai(WP\u4f2a\u6625\u83dc)", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T14:45:37.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe46ec14-4795-4ac7-afd0-de92ccef877d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/weichuncai/trunk/sm-options.php"}], "descriptions": [{"lang": "en", "value": "The weichuncai(WP\u4f2a\u6625\u83dc) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-16T03:38:53.603Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7686", "state": "PUBLISHED", "dateUpdated": "2025-08-18T13:16:36.771Z", "dateReserved": "2025-07-15T18:54:22.324Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-16T03:38:53.603Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The weichuncai(WP\u4f2a\u6625\u83dc) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento weichuncai(WP???) para WordPress es vulnerable a cross-site request forgery en todas las versiones hasta la 1.5 incluida. Esto se debe a la falta o la validaci\u00f3n incorrecta de nonce en la p\u00e1gina sm-options.php. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-7686", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-16T04:16:08.650", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/weichuncai/trunk/sm-options.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe46ec14-4795-4ac7-afd0-de92ccef877d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:30:05.093276+00:00", "value": {"mitigation_remediation": ["Upgrade the weichuncai plugin to a version that includes correct nonce validation.", "If an immediate upgrade is not possible, limit access to the sm\u2011options.php page so that only administrators can read or execute it, or disable the page entirely via file permissions or a role\u2011based access control plugin.", "Verify that any custom settings or content that are stored by the plugin undergoes output sanitization before rendering to prevent future stored XSS attacks."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the weichuncai plugin produced by lmyoaoa, version 1.5 and older, are affected. Administrators using these legacy versions are at risk until they upgrade the plugin to a version that implements proper nonce checks.", "description_and_impact": "The weichuncai WordPress plugin contains a missing or incorrect nonce validation in the sm\u2011options.php page, creating a Cross\u2011Site Request Forgery vulnerability. An unauthenticated attacker can forge a request that updates the plugin settings with arbitrary JavaScript payloads. Because the plugin stores this input and embeds it in page output, the malicious script is executed whenever a visitor loads the site, resulting in stored cross\u2011site scripting.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity. The EPSS score of <1% suggests a very low probability of exploitation at this time. Attackers must convince a site administrator to click a crafted link or otherwise submit a forged request, a scenario that can arise in standard phishing. The vulnerability is not listed in the CISA KEV catalog, meaning no documented active exploits are currently known. Despite the low exploitation likelihood, the potential for persistent malicious script injection warrants immediate remediation."}}}}, "created": "2025-08-18T20:59:30.305523+00:00", "updated": "2026-04-21T03:30:26.340458+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}