CVE-2025-48104
BaseFortify
Publication date: 2025-09-05
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ericzane | floating_window_music_player | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Floating Window Music Player plugin (up to version 3.4.2) that allows an attacker to perform Stored Cross-Site Scripting (XSS). An attacker can trick authenticated users with higher privileges into executing unauthorized actions, which can result in malicious scripts being injected and stored on the site. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to inject malicious scripts that persist on the site, potentially compromising user data, site integrity, and user trust. Since it exploits higher privileged users, it can lead to unauthorized actions and broader security breaches. The plugin is abandoned with no official fix, increasing the risk if it remains in use. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include removing and replacing the Floating Window Music Player plugin, as it is abandoned and has no official patch. Applying a virtual patch (vPatch) provided by Patchstack can also help protect the site until the plugin is replaced. Simply deactivating the plugin does not eliminate the threat. [1]