Description
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted deletion of tripetto form results
Action: Apply patch
AI Analysis

Impact

The Tripetto WordPress plugin suffers from a Cross‑Site Request Forgery flaw caused by missing nonce validation in all releases up to 8.0.9. A victim attacker who can persuade a site administrator to click a crafted link can initiate a request that deletes any form submission stored by the plugin. This results in loss of data integrity and availability for any surveys, quizzes, or contact forms managed through Tripetto.

Affected Systems

All WordPress installations that use the Tripetto plugin version 8.0.9 or earlier are affected. The vulnerability is present in the core Tripetto plugin delivered as a WordPress form builder, surveys and quizzes extension.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is Cross‑Site Request Forgery; it requires that an unauthenticated attacker convince a legitimate site administrator to perform a specific action such as clicking a link. If successful, the attacker can delete arbitrary form results, potentially impacting data availability but not code execution or system compromise.

Generated by OpenCVE AI on April 21, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tripetto plugin to the latest stable version (≥8.1.0) to restore nonce validation for result deletion.
  • Configure WordPress user roles to limit the 'Delete results' capability to administrators only, using the built‑in role editor or a role management plugin.
  • If the result deletion feature is not required, disable it completely by adjusting plugin settings or adding a small code snippet.
  • Continuously monitor the results dashboard and audit logs for any unexpected deletions to detect possible exploitation.

Generated by OpenCVE AI on April 21, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6624 The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00025}

 epss

{'score': 0.00034}

Tue, 25 Mar 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tripetto
Tripetto tripetto
CPEs cpe:2.3:a:tripetto:tripetto:*:*:*:*:*:wordpress:*:*
Vendors & Products Tripetto
Tripetto tripetto

Mon, 17 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Tripetto <= 8.0.9 - Cross-Site Request Forgery to Arbitrary Results Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Tripetto Tripetto
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:05.660Z

Reserved: 2025-02-21T00:47:08.805Z

Link: CVE-2025-1530

cve-icon Vulnrichment

Updated: 2025-03-17T21:25:12.511Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-15T12:15:11.890

Modified: 2025-03-25T20:02:28.730

Link: CVE-2025-1530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses