Description
Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals songkick-concerts-and-festivals allows Cross Site Request Forgery.This issue affects Songkick Concerts and Festivals: from n/a through <= 0.9.7.
Published: 2025-02-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to force authenticated users to perform unwanted actions in the WordPress environment. The flaw is present in all releases of the Songkick Concerts and Festivals plugin up to and including 0.9.7. Because it relies on the victim’s browser session, the attacker does not need to know credentials, but an active session is required.

Affected Systems

All users of the saleandro Songkick Concerts and Festivals plugin running any version up to 0.9.7 are affected. No specific versioning beyond 0.9.7 is known to be secure.

Risk and Exploitability

The CVSS score of 4.3 suggests a moderate severity. The EPSS score of < 1 % indicates a very low probability of real‑world exploitation. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a web page that lures an authenticated user to submit a forged request, so the exploit requires that the target is logged in and the user visits a malicious link or page. Attackers could use phishing or malicious content to trigger the CSRF action.

Generated by OpenCVE AI on May 2, 2026 at 04:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Songkick Concerts and Festivals plugin to a release newer than 0.9.7 once it becomes available.
  • If a newer release is not available, disable the plugin to eliminate the risk of CSRF exploitation.
  • Configure a web application firewall or mod_security rule set to require that all state‑changing requests be accompanied by a valid nonce or CSRF token, complying with the mitigation guidelines for CWE‑352.

Generated by OpenCVE AI on May 2, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4056 Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals allows Cross Site Request Forgery. This issue affects Songkick Concerts and Festivals: from n/a through 0.9.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals allows Cross Site Request Forgery. This issue affects Songkick Concerts and Festivals: from n/a through 0.9.7. Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals songkick-concerts-and-festivals allows Cross Site Request Forgery.This issue affects Songkick Concerts and Festivals: from n/a through <= 0.9.7.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in saleandro Songkick Concerts and Festivals allows Cross Site Request Forgery. This issue affects Songkick Concerts and Festivals: from n/a through 0.9.7.
Title WordPress Songkick Concerts and Festivals plugin <= 0.9.7 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:36.314Z

Reserved: 2025-02-03T13:35:08.294Z

Link: CVE-2025-25146

cve-icon Vulnrichment

Updated: 2025-02-12T20:46:04.120Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:19.887

Modified: 2026-06-17T09:00:22.457

Link: CVE-2025-25146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:45:34Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)