Description
The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthorized creation or modification of email sync rules
Action: Immediate Patch
AI Analysis

Impact

The FuseWP plugin for WordPress contains a CSRF vulnerability because the save_changes function fails to validate the nonce correctly. An attacker who can lure a logged‑in site administrator into visiting a forged URL can force the creation or modification of sync rules that send user data to external marketing services such as Mailchimp, Constant Contact, or ActiveCampaign. This may result in unwanted data transfer.

Affected Systems

WordPress sites that have installed the FuseWP – WordPress User Sync to Email List & Marketing Automation plugin version 1.1.23.0 or earlier are affected. The vendor is fusewp and no other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% points to a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must rely on social engineering to trick an administrator into executing a forged request while authenticated, which limits the immediate attack surface but still poses a potential risk to data integrity and compliance.

Generated by OpenCVE AI on April 22, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FuseWP plugin to the latest version that includes the CSRF fix.
  • Review all existing sync rule configurations for unauthorized or unexpected entries and delete those that were not authorized by a legitimate administrator.
  • If an upgrade cannot be applied immediately, temporarily disable or restrict the sync feature until the update is available.
  • Monitor WordPress administrative logs for anomalous sync rule creation or modification events to detect exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Fusewp
Fusewp fusewp
Wordpress
Wordpress wordpress
Vendors & Products Fusewp
Fusewp fusewp
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Fusewp Fusewp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:54.970Z

Reserved: 2025-10-20T16:07:42.381Z

Link: CVE-2025-11976

cve-icon Vulnrichment

Updated: 2025-10-27T15:32:55.290Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:40.737

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses