Description
Cross-Site Request Forgery (CSRF) vulnerability in kbowson Title Experiments Free wp-experiments-free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through <= 9.0.4.
Published: 2025-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress plugin Title Experiments Free has a CSRF flaw that lets an attacker craft a request under the guise of a legitimate user. The flaw permits tampering with data submitted to the site, potentially altering plugin settings or other content. The weakness is classified as CWE‑352. No information indicates that the attack would break authentication or expose sensitive data; the primary effect is unauthorized change of state.

Affected Systems

This issue targets the kbowson Title Experiments Free plugin for WordPress, affecting all releases from the initial version through 9.0.4 inclusive. Only versions 9.0.5 and newer contain the fix.

Risk and Exploitability

CVSS score of 4.3 places this vulnerability in the medium severity range. EPSS of <1% indicates a very low but nonzero likelihood of exploitation, and it is not listed in CISA KEV catalogs. Based on the description, it is inferred that an attacker would need a victim user to be logged in and to follow a crafted link, enabling forged requests that alter plugin data without the user’s knowledge.

Generated by OpenCVE AI on May 1, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version (9.0.5 or later) to eliminate the CSRF flaw.
  • If the plugin cannot be updated immediately, disable or uninstall it to prevent the vulnerability from being exploitable.
  • Review other WordPress plugins and core for missing CSRF protections and ensure that all form submissions use proper nonce tokens.

Generated by OpenCVE AI on May 1, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2840 Cross-Site Request Forgery (CSRF) vulnerability in Jason Funk Title Experiments Free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through 9.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jason Funk Title Experiments Free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through 9.0.4. Cross-Site Request Forgery (CSRF) vulnerability in kbowson Title Experiments Free wp-experiments-free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through <= 9.0.4.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jason Funk Title Experiments Free allows Cross Site Request Forgery.This issue affects Title Experiments Free: from n/a through 9.0.4.
Title WordPress Title Experiments Free plugin <= 9.0.4 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.577Z

Reserved: 2025-01-07T10:23:24.212Z

Link: CVE-2025-22562

cve-icon Vulnrichment

Updated: 2025-01-07T17:30:21.853Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:52.540

Modified: 2026-06-17T08:48:17.577

Link: CVE-2025-22562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)