CVE-2025-62089
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack mergado-marketing-pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through <= 4.2.1.
Analysis
Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.
Technical Context
CSRF is a CWE-352 vulnerability where an application fails to validate that requests originate from the legitimate user rather than a third-party attacker. The MERGADO Mergado Pack WordPress plugin, identified by its WordPress plugin slug and CPE context (WordPress third-party plugin), likely lacks proper nonce validation or CSRF token verification in its administrative functions. WordPress plugins are frequently targeted for CSRF because they often handle sensitive operations (configuration changes, data modification) with insufficient anti-forgery protections. The vulnerability exists across plugin versions from an unspecified baseline through 4.2.1, suggesting the flaw may have been present for multiple releases.
Affected Products
MERGADO Mergado Pack WordPress plugin versions through 4.2.1 are affected, as reported by Patchstack and available in the vulnerability database at the WordPress Plugin registry. The exact starting version is not specified in available data, but the range is described as 'from n/a through <= 4.2.1'. WordPress site administrators using this plugin should consult the Patchstack vulnerability database entry for confirmation of their installed version.
Remediation
Upgrade MERGADO Mergado Pack to version 4.2.2 or later. The primary fix is to apply the patch released by the plugin vendor, which adds proper CSRF token (nonce) validation to administrative functions. Administrators should update the plugin immediately through the WordPress plugin management dashboard (Plugins > Installed Plugins > Mergado Pack > Update) or download the latest version from the WordPress plugin repository. No temporary workarounds are available; patching is the only remediation. For detailed patch information, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/mergado-marketing-pack/.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today