Skip to main content

Tribulant Software Newsletters CVE-2025-54035

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-07-16 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:42 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Software Newsletters newsletters-lite allows Cross Site Request Forgery.This issue affects Newsletters: from n/a through <= 4.10.

AnalysisAI

Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.

Technical ContextAI

This is a classic CSRF vulnerability (CWE-352) in a WordPress plugin, where the application fails to implement or properly validate anti-CSRF tokens (such as WordPress nonces) on state-changing requests. The newsletters-lite plugin, used for email subscription management, does not adequately protect its administrative or user-facing endpoints against cross-origin requests. An attacker can craft a malicious webpage or email containing a hidden form or JavaScript that, when visited by an authenticated WordPress user with sufficient privileges, automatically submits requests to the plugin's backend without the user's knowledge or consent. The vulnerability likely affects form submissions related to newsletter configuration, subscription management, or plugin settings.

Affected ProductsAI

Tribulant Software Newsletters (newsletters-lite) WordPress plugin versions from an unspecified baseline through version 4.10 are affected. The plugin is distributed via the official WordPress plugin repository. Affected users can identify their version number in the WordPress admin dashboard under Plugins. No CPE string is formally assigned; the plugin is identified by its WordPress slug 'newsletters-lite' on patchstack.com and the WordPress.org plugin directory.

RemediationAI

Update the newsletters-lite plugin to a patched version newer than 4.10 immediately via the WordPress dashboard (Plugins > Installed Plugins > newsletters-lite > Update). Tribulant Software has released a fix; users should check the plugin's update notification or visit the plugin repository page to confirm the latest available version. As an interim measure on sites unable to update immediately, restrict plugin access to trusted administrators only and disable the plugin if it is not actively in use. Site administrators should audit recent newsletter submissions and configuration changes via WordPress logs to detect unauthorized modifications. The detailed vulnerability report and patch confirmation are available at https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-10-cross-site-request-forgery-csrf-vulnerability.

Share

CVE-2025-54035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy