Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check wp-spell-check allows Cross Site Request Forgery.This issue affects WP Spell Check: from n/a through <= 9.21.
Published: 2025-02-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic Cross‑Site Request Forgery (CSRF) flaw in the WP Spell Check plugin for WordPress. An attacker can trick a legitimate site visitor, who is already authenticated, into executing unintended requests that the plugin processes. This can lead to unauthorized changes in the plugin’s configuration or other privileged actions, potentially affecting the integrity and confidentiality of the site’s content. The weakness is classified as CWE‑352.

Affected Systems

The affected product is the WP Spell Check plugin for WordPress, version 9.21 and earlier. The vulnerability applies to all installations of the plugin without a later update, regardless of the underlying WordPress version.

Risk and Exploitability

The CVSS score of 5.4 reflects a moderate severity. The EPSS score of less than 1% indicates a very low chance of exploitation at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently tied to known widespread attacks. The likely attack vector requires the target user to be authenticated to the site, and the attacker typically delivers a malicious link or image that triggers the unwanted request. Because the plugin relied on no anti‑CSRF token, the flaw can be leveraged without additional conditions, but an authenticated user is still needed.

Generated by OpenCVE AI on May 1, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Spell Check plugin to any version greater than 9.21.
  • If an update is not immediately possible, temporarily disable the plugin or remove the vulnerable endpoint until the patch is applied.
  • Configure WordPress to enforce SameSite cookies or add a custom anti‑CSRF token to the plugin’s forms to prevent unauthorized requests.

Generated by OpenCVE AI on May 1, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4039 Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check allows Cross Site Request Forgery. This issue affects WP Spell Check: from n/a through 9.21.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check allows Cross Site Request Forgery. This issue affects WP Spell Check: from n/a through 9.21. Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check wp-spell-check allows Cross Site Request Forgery.This issue affects WP Spell Check: from n/a through <= 9.21.
Title WordPress WP Spell Check Plugin <= 9.21 - Cross Site Request Forgery (CSRF) vulnerability WordPress WP Spell Check plugin <= 9.21 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Fri, 07 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check WP Spell Check allows Cross Site Request Forgery. This issue affects WP Spell Check: from n/a through 9.21.
Title WordPress WP Spell Check Plugin <= 9.21 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.620Z

Reserved: 2025-02-03T13:34:38.766Z

Link: CVE-2025-25111

cve-icon Vulnrichment

Updated: 2025-02-07T14:57:44.072Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:16.910

Modified: 2026-04-23T15:25:37.657

Link: CVE-2025-25111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:15:21Z

Weaknesses