CVE-2025-54035
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Software Newsletters newsletters-lite allows Cross Site Request Forgery.This issue affects Newsletters: from n/a through <= 4.10.
Analysis
Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.
Technical Context
This is a classic CSRF vulnerability (CWE-352) in a WordPress plugin, where the application fails to implement or properly validate anti-CSRF tokens (such as WordPress nonces) on state-changing requests. The newsletters-lite plugin, used for email subscription management, does not adequately protect its administrative or user-facing endpoints against cross-origin requests. An attacker can craft a malicious webpage or email containing a hidden form or JavaScript that, when visited by an authenticated WordPress user with sufficient privileges, automatically submits requests to the plugin's backend without the user's knowledge or consent. The vulnerability likely affects form submissions related to newsletter configuration, subscription management, or plugin settings.
Affected Products
Tribulant Software Newsletters (newsletters-lite) WordPress plugin versions from an unspecified baseline through version 4.10 are affected. The plugin is distributed via the official WordPress plugin repository. Affected users can identify their version number in the WordPress admin dashboard under Plugins. No CPE string is formally assigned; the plugin is identified by its WordPress slug 'newsletters-lite' on patchstack.com and the WordPress.org plugin directory.
Remediation
Update the newsletters-lite plugin to a patched version newer than 4.10 immediately via the WordPress dashboard (Plugins > Installed Plugins > newsletters-lite > Update). Tribulant Software has released a fix; users should check the plugin's update notification or visit the plugin repository page to confirm the latest available version. As an interim measure on sites unable to update immediately, restrict plugin access to trusted administrators only and disable the plugin if it is not actively in use. Site administrators should audit recent newsletter submissions and configuration changes via WordPress logs to detect unauthorized modifications. The detailed vulnerability report and patch confirmation are available at https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-10-cross-site-request-forgery-csrf-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today