Description
The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.11. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Reset via CSRF
Action: Patch
AI Analysis

Impact

Missing or incorrect nonce validation for the wprequal_reset_defaults action in the WPrequal plugin for WordPress creates a CSRF flaw that lets an unauthenticated attacker trick an administrator into resetting the plugin’s settings to defaults. This disrupts loan‑capture operations and can expose sensitive configuration data. The weakness is identified as CWE‑352.

Affected Systems

All WPrequal installations by Kevin‑Brent running WordPress plugin version 8.2.11 or earlier are vulnerable. Versions newer than 8.2.11 include the necessary nonce check and are not affected.

Risk and Exploitability

The CVSS score of 4.3 marks the issue as moderate severity, and the EPSS score of below 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker can send a crafted link to an administrator, causing the settings to be reset and potentially leading to operational disruption. The risk is moderate but should not be ignored in critical loan‑processing environments.

Generated by OpenCVE AI on April 28, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the WPrequal plugin (8.2.12 or later) that includes the proper nonce validation.
  • Ensure all WordPress installations and plugins are kept current and verify the plugin’s changelog for the nonce fix.
  • As a temporary measure, restrict the wprequal_reset_defaults endpoint to allow only administrators and consider disabling the action or using a security plugin to block CSRF attempts until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4830 The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.10. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.10. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.11. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Mortgage Lead Capture System <= 8.2.10 - Cross-Site Request Forgery to Settings Reset Mortgage Lead Capture System <= 8.2.11 - Cross-Site Request Forgery to Settings Reset
References

Fri, 21 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Kevinbrent
Kevinbrent wprequal
CPEs cpe:2.3:a:kevinbrent:wprequal:*:*:*:*:*:wordpress:*:*
Vendors & Products Kevinbrent
Kevinbrent wprequal

Tue, 18 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Feb 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.10. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Mortgage Lead Capture System <= 8.2.10 - Cross-Site Request Forgery to Settings Reset
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Kevinbrent Wprequal
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:09.347Z

Reserved: 2025-01-28T14:40:20.184Z

Link: CVE-2025-0796

cve-icon Vulnrichment

Updated: 2025-02-18T15:16:54.308Z

cve-icon NVD

Status : Modified

Published: 2025-02-18T05:15:19.597

Modified: 2026-04-08T17:19:53.897

Link: CVE-2025-0796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses