MERGADO Mergado Pack CVE-2025-62089
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in MERGADO Mergado Pack mergado-marketing-pack allows Cross Site Request Forgery.This issue affects Mergado Pack: from n/a through <= 4.2.1.
AnalysisAI
Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.
Technical ContextAI
CSRF is a CWE-352 vulnerability where an application fails to validate that requests originate from the legitimate user rather than a third-party attacker. The MERGADO Mergado Pack WordPress plugin, identified by its WordPress plugin slug and CPE context (WordPress third-party plugin), likely lacks proper nonce validation or CSRF token verification in its administrative functions. WordPress plugins are frequently targeted for CSRF because they often handle sensitive operations (configuration changes, data modification) with insufficient anti-forgery protections. The vulnerability exists across plugin versions from an unspecified baseline through 4.2.1, suggesting the flaw may have been present for multiple releases.
Affected ProductsAI
MERGADO Mergado Pack WordPress plugin versions through 4.2.1 are affected, as reported by Patchstack and available in the vulnerability database at the WordPress Plugin registry. The exact starting version is not specified in available data, but the range is described as 'from n/a through <= 4.2.1'. WordPress site administrators using this plugin should consult the Patchstack vulnerability database entry for confirmation of their installed version.
RemediationAI
Upgrade MERGADO Mergado Pack to version 4.2.2 or later. The primary fix is to apply the patch released by the plugin vendor, which adds proper CSRF token (nonce) validation to administrative functions. Administrators should update the plugin immediately through the WordPress plugin management dashboard (Plugins > Installed Plugins > Mergado Pack > Update) or download the latest version from the WordPress plugin repository. No temporary workarounds are available; patching is the only remediation. For detailed patch information, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/mergado-marketing-pack/.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today