CVE-2025-39431 HIGH

CVE-2025-39431: WordPress Amazon Showcase WordPress Plugin plugin <= 2.2 - CSRF to XSS vulnerability

Vendor Aaron Forgue
Product Amazon Showcase WordPress Plugin
Weakness CWE-352 · CSRF
Published April 17, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin amazon-showcase-wordpress-widget allows Stored XSS.This issue affects Amazon Showcase WordPress Plugin: from n/a through <= 2.2.

Explanation of Vulnerability in Simple Terms

02Summary

The Amazon Showcase WordPress plugin through version 2.2 contains a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. This affects plugin settings, data, or functionality depending on what the plugin controls. Update to a version newer than 2.2 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Trick a site admin into visiting a malicious page that performs unwanted actions on the site without their consent.

Potential impact on your site

04Site Impact

An attacker can modify plugin settings or trigger unintended actions if an admin visits a compromised page.

Conditions required to exploit

05Prerequisites

Site admin must be logged in and visit an attacker-controlled webpage or click a malicious link.

Key dates

06Disclosure timeline

April 17, 2025 CVE published
April 28, 2026 Record updated