Skip to main content

No Disposable Email CVE-2025-28923

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-03-11 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 19:52 vuln.today
CVE Published
Mar 11, 2025 - 21:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in philippe No Disposable Email allows Stored XSS. This issue affects No Disposable Email: from n/a through 2.5.1.

AnalysisAI

Cross-site scripting (stored XSS) via CSRF in No Disposable Email WordPress plugin through version 2.5.1 allows remote attackers to inject malicious scripts into the site's database. An attacker tricks an authenticated administrator into submitting a crafted request, which bypasses CSRF protections and stores XSS payload that executes when other users access affected pages. EPSS score of 0.05% (14th percentile) indicates low probability of widespread exploitation, with no active exploitation (not in CISA KEV) or public POC identified at time of analysis.

Technical ContextAI

This is a chained vulnerability in a WordPress plugin designed to block disposable email addresses during user registration. The root cause (CWE-352: Cross-Site Request Forgery) stems from inadequate or missing anti-CSRF token validation in administrative functionality, allowing state-changing requests to be forged. The CSRF weakness is weaponized to inject stored cross-site scripting payloads (CWE-79), which persist in the database and execute in the browsers of users who view the poisoned content. The CVSS scope change (S:C) indicates the XSS breaks out of the WordPress plugin's security context to affect other users. Affected product is the No Disposable Email WordPress plugin versions from earliest available through 2.5.1.

Affected ProductsAI

No Disposable Email WordPress plugin versions from earliest release through 2.5.1 are confirmed vulnerable. The plugin is authored by developer 'philippe' and available through the WordPress.org plugin repository. Patchstack advisory at https://patchstack.com/database/wordpress/plugin/no-disposable-email/vulnerability/wordpress-no-disposable-email-plugin-2-5-1-csrf-to-stored-xss-vulnerability provides technical details. Specific WordPress core version requirements or conflicts are not documented in available data.

RemediationAI

Update No Disposable Email plugin to version 2.5.2 or later if available, verifying through WordPress admin dashboard or official WordPress.org plugin repository. If patched version is not confirmed available, immediately deactivate and remove the plugin until vendor releases a fix. As compensating control, implement Web Application Firewall (WAF) rules to validate all administrative POST requests contain valid WordPress nonces, though this may interfere with legitimate admin functions if overly restrictive. Restrict WordPress admin panel access to specific IP addresses via .htaccess or network firewall rules, accepting the trade-off of reduced administrative flexibility for remote workers. Audit existing plugin configuration and database tables for suspicious JavaScript patterns or unexpected HTML entities that may indicate prior exploitation. Monitor WordPress admin activity logs for unusual configuration changes. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/no-disposable-email/vulnerability/wordpress-no-disposable-email-plugin-2-5-1-csrf-to-stored-xss-vulnerability for vendor-specific guidance.

Share

CVE-2025-28923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy