CVE-2025-39381: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in KiotViet Sync WordPress plugin, identified as CVE-2025-39381. The vulnerability affects versions through 1.8.4 of the KiotViet Sync plugin and allows attackers to perform Stored Cross-Site Scripting (XSS) attacks. The vulnerability was initially reported on February 21, 2025, and was publicly disclosed on April 18, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The security issue allows unauthenticated attackers to exploit CSRF vulnerabilities that can lead to stored XSS attacks (Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF and stored XSS could potentially lead to compromised user sessions, unauthorized actions, and data manipulation (Patchstack).

Currently, no official fix has been released for this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited. Users are advised to monitor for updates from the plugin developer (Patchstack).