CVE-2025-6247 MEDIUM

CVE-2025-6247: WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.118.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Vendor Valvepress
Product WordPress Automatic Plugin
Weakness CWE-80 · XSS · basic
Published August 26, 2025
Last update April 8, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

The WordPress Automatic plugin through version 3.118.0 contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts. The vulnerability requires user interaction and network access but does not require authentication. An attacker can craft a malicious link that, when clicked by a site visitor, executes JavaScript in their browser and potentially affects other users or site functionality.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in visitors' browsers to steal data or perform actions on their behalf.

Potential impact on your site

04Site Impact

Visitors clicking malicious links could have their sessions hijacked, credentials stolen, or be redirected to phishing pages.

Conditions required to exploit

05Prerequisites

Victim must click an attacker-crafted link; no authentication required.

Key dates

06Disclosure timeline

August 26, 2025 CVE published
April 8, 2026 Record updated