CVE-2025-54010

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request Forgery.This issue affects FluentSnippets: from n/a through <= 10.50.

Analysis

Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.

Technical Context

CSRF vulnerabilities (CWE-352) occur when an application fails to validate that requests originate from legitimate users, typically by missing or improperly validating nonce tokens or origin headers. FluentSnippets is a WordPress plugin that manages code snippets; the vulnerable component (easy-code-manager) likely processes administrative or snippet-management actions via HTTP requests without proper CSRF protection. WordPress plugins typically handle nonce validation via wp_verify_nonce() or similar mechanisms, and their absence in certain endpoints leaves those actions vulnerable to unauthorized state-changing requests crafted by attackers.

Affected Products

WordPress plugin FluentSnippets (easy-code-manager) versions up to and including 10.50. The CPE designation would be software component in the WordPress plugin ecosystem hosted on wordpress.org. The vendor (Shahjahan Jewel) has published details via Patchstack's vulnerability database.

Remediation

Update the FluentSnippets plugin to a version newer than 10.50 from the official WordPress plugin repository. WordPress administrators should access their Dashboard, navigate to Plugins > Installed Plugins, locate FluentSnippets, and apply the available update. If no patched version is yet available, disable the plugin temporarily until an update is released. Verify that all nonce fields are included in administrative forms and that wp_verify_nonce() is called for state-changing requests. The vulnerability details and update status can be found at the Patchstack advisory: https://patchstack.com/database/Wordpress/Plugin/easy-code-manager/vulnerability/wordpress-fluentsnippets-plugin-10-50-cross-site-request-forgery-csrf-vulnerability

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-54010 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy