Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor allows Cross Site Request Forgery. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.4.
AnalysisAI
CVE-2025-52795 is a Cross-Site Request Forgery (CSRF) vulnerability in the aharonyan WP Front User Submit / Front Editor WordPress plugin (versions up to 4.9.4) that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability has a CVSS score of 7.1 with high availability impact, enabling attackers to modify or delete user-submitted content through malicious web requests without user consent.
Technical ContextAI
This vulnerability exists in the WP Front User Submit / Front Editor plugin for WordPress, which allows users to submit and edit content from the frontend without administrative access. The root cause is CWE-352 (Cross-Site Request Forgery), indicating insufficient CSRF token validation or missing security nonces in the plugin's request handlers. WordPress plugins must implement wp_nonce_field() and wp_verify_nonce() functions to validate requests; this plugin fails to properly implement these protections on one or more critical functions. The vulnerability affects the plugin's user submission and editing functionality, allowing attackers to craft malicious websites or emails that, when visited by logged-in WordPress users, trigger unauthorized form submissions that modify user-generated content or perform administrative actions within the plugin's scope.
RemediationAI
Immediate actions: (1) Update the aharonyan WP Front User Submit / Front Editor plugin to the latest available version beyond 4.9.4 if a patch has been released (check WordPress.org plugin repository and vendor advisories); (2) If no patched version is available, deactivate and remove the plugin until a security update is released; (3) Temporary mitigation: Restrict plugin functionality to authenticated users only via WordPress user roles/capabilities if possible, reducing the attack surface; (4) Implement Web Application Firewall (WAF) rules to detect and block suspicious cross-origin POST requests to the plugin's handlers if the plugin endpoints are known. Long-term: The plugin developers (aharonyan) must implement WordPress security functions: add wp_nonce_field() to all frontend forms and use wp_verify_nonce() to validate all POST/PUT/DELETE requests. Alternatively, use REST API with proper nonce validation via wp_rest_nonce_middleware or _wpnonce parameter.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28470