Primary

Context

WordPress Ultimate Subscribe Plugin Cross-Site Request Forgery Vulnerability Allowing Reflected Cross-Site Scripting

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Ultimate Subscribe plugin, specifically in versions through 1.3. This vulnerability allows for Reflected Cross-Site Scripting (XSS) attacks. The issue arises from the plugin's inability to properly validate requests, potentially leading higher privileged users to perform unintended actions.

Impact

Exploitation of this vulnerability could enable attackers to trick users with higher privileges into executing actions they did not intend to, potentially leading to unauthorized changes or disclosures.

Remediation

Users of the WordPress Ultimate Subscribe plugin are advised to update to version 1.3 or later. For those unable to update immediately, Patchstack offers a virtual patch that can be applied to mitigate the vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Ultimate Subscribe Plugin Cross-Site Request Forgery Vulnerability Allowing Reflected Cross-Site Scripting

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating