CVE-2025-52795

| EUVD-2025-28470 HIGH
2025-06-20 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28470
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

Tags

CSRF WordPress PHP

Description

Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor allows Cross Site Request Forgery. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.4.

Analysis

CVE-2025-52795 is a Cross-Site Request Forgery (CSRF) vulnerability in the aharonyan WP Front User Submit / Front Editor WordPress plugin (versions up to 4.9.4) that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 with high availability impact, enabling attackers to modify or delete user-submitted content through malicious web requests without user consent.

Technical Context

This vulnerability exists in the WP Front User Submit / Front Editor plugin for WordPress, which allows users to submit and edit content from the frontend without administrative access. The root cause is CWE-352 (Cross-Site Request Forgery), indicating insufficient CSRF token validation or missing security nonces in the plugin's request handlers. WordPress plugins must implement wp_nonce_field() and wp_verify_nonce() functions to validate requests; this plugin fails to properly implement these protections on one or more critical functions. The vulnerability affects the plugin's user submission and editing functionality, allowing attackers to craft malicious websites or emails that, when visited by logged-in WordPress users, trigger unauthorized form submissions that modify user-generated content or perform administrative actions within the plugin's scope.

Affected Products

Product: aharonyan WP Front User Submit / Front Editor (WordPress Plugin). Affected Versions: 4.9.4 and all prior versions (vendor states 'from n/a through 4.9.4'). CPE String (estimated): cpe:2.7a:aharonyan:wp_front_user_submit:*:*:*:*:*:wordpress:*:*. Configuration: Any WordPress installation with this plugin active is vulnerable; vulnerability affects both single-site and multisite WordPress deployments. No version information is provided indicating when the vulnerability was introduced, though the 'from n/a' language suggests it may affect all released versions. Users of older versions (pre-4.0) should also assume vulnerability unless explicitly patched.

Remediation

Immediate actions: (1) Update the aharonyan WP Front User Submit / Front Editor plugin to the latest available version beyond 4.9.4 if a patch has been released (check WordPress.org plugin repository and vendor advisories); (2) If no patched version is available, deactivate and remove the plugin until a security update is released; (3) Temporary mitigation: Restrict plugin functionality to authenticated users only via WordPress user roles/capabilities if possible, reducing the attack surface; (4) Implement Web Application Firewall (WAF) rules to detect and block suspicious cross-origin POST requests to the plugin's handlers if the plugin endpoints are known. Long-term: The plugin developers (aharonyan) must implement WordPress security functions: add wp_nonce_field() to all frontend forms and use wp_verify_nonce() to validate all POST/PUT/DELETE requests. Alternatively, use REST API with proper nonce validation via wp_rest_nonce_middleware or _wpnonce parameter.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-52795 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy