Description
The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-11-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Subscriber Data Deletion
Action: Patch
AI Analysis

Impact

The Easy Email Subscription plugin for WordPress contains a Cross‑Site Request Forgery flaw stemming from the absence or mis‑implementation of nonce checks in the show_editsub_page() routine. An unauthenticated attacker can craft a forged request that, if executed by a site administrator, will delete any subscriber record. This flaw does not allow code execution but results in loss of user data and potential disruption of subscription services.

Affected Systems

All installations of the Easy Email Subscription plugin by yudiz with versions 1.3 and earlier are affected. No further version details are provided beyond the <=1.3 constraint.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity risk. The EPSS score, being in the less than 1% bracket, suggests a very low likelihood of exploitation at the time of analysis. The flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to socially engineer an administrator into clicking a malicious link or submitting a forged form; no privileged or authenticated access is required to carry out the deletion.

Generated by OpenCVE AI on April 22, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Easy Email Subscription to a version newer than 1.3 to obtain the fixed nonce validation.
  • Disable the Easy Email Subscription plugin or uninstall it until a patched version is available to prevent accidental deletion.
  • Educate site administrators to verify URLs and be cautious of suspicious links, especially when logged in as admin.

Generated by OpenCVE AI on April 22, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yudiz
Yudiz easy Email Subscription
Vendors & Products Wordpress
Wordpress wordpress
Yudiz
Yudiz easy Email Subscription

Thu, 06 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yudiz Easy Email Subscription
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:58.777Z

Reserved: 2025-09-18T14:54:06.118Z

Link: CVE-2025-10691

cve-icon Vulnrichment

Updated: 2025-11-06T17:02:17.008Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T04:15:32.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses