Skip to main content

Pricing Table builder CVE-2025-62886

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-10-27 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 01:11 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:42 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder wpdevart-pricing-table allows Stored XSS.This issue affects Pricing Table builder: from n/a through <= 1.5.3.

AnalysisAI

Cross-site request forgery enables stored XSS injection in WordPress Pricing Table builder plugin versions up to 1.5.3. Remote unauthenticated attackers can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript payloads into pricing table configurations. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. The changed scope (S:C) in CVSS vector indicates potential for broader site compromise beyond the plugin's security context.

Technical ContextAI

WordPress Pricing Table builder is a plugin for creating and managing pricing tables in WordPress sites. This vulnerability chains two distinct weaknesses: CWE-352 (Cross-Site Request Forgery) as the initial attack vector, enabling a subsequent stored XSS attack. The CSRF weakness allows attackers to forge requests from authenticated administrators without proper anti-CSRF token validation. The stored XSS component persists malicious JavaScript in the database, affecting all users who view the compromised pricing tables. The CVSS changed scope (S:C) metric indicates the XSS payload can execute in a different security context than the vulnerable plugin component, potentially accessing broader WordPress site resources or session data.

Affected ProductsAI

WordPress Pricing Table builder plugin by wpdevart, all versions from earliest release through version 1.5.3 inclusive. The vulnerability report from Patchstack specifically identifies version 1.5.1 as affected, with the NVD record extending coverage through 1.5.3. Exact CPE designation not provided in available data. Affects WordPress installations running the wpdevart-pricing-table plugin at vulnerable versions. Vendor advisory and detailed vulnerability information available at Patchstack database reference link.

RemediationAI

Upgrade WordPress Pricing Table builder plugin to version 1.5.4 or later if available, verifying from the WordPress plugin repository or wpdevart vendor site that the fixed version addresses CVE-2025-62886. Check Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpdevart-pricing-table/ for confirmed fix version and vendor advisory. If immediate patching is not feasible, implement compensating controls: disable or remove the wpdevart-pricing-table plugin until patched version is deployed; educate WordPress administrators to avoid clicking external links while authenticated to wp-admin dashboard; implement WordPress security plugins with CSRF protection and XSS filtering capabilities; restrict wp-admin access to trusted IP ranges via .htaccess or firewall rules, noting this may impact legitimate remote administration; conduct security audit of existing pricing tables for injected JavaScript payloads, examining table content in database wp_posts and plugin-specific tables for suspicious script tags or event handlers. Note that access restrictions impact administrative workflows and should be balanced against operational requirements.

Share

CVE-2025-62886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy