CVE-2025-27353 - Vulnerability Details

- WordPress Namaste! LMS Plugin <= 2.6.5 - Cross Site Request Forgery (CSRF) vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS namaste-lms allows Cross Site Request Forgery.This issue affects Namaste! LMS: from n/a through <= 2.6.5.

Published: 2025-02-24

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in the Namaste! LMS WordPress plugin that allows a malicious actor to submit forged requests on behalf of an authenticated user. The flaw resides in the front‑end handling of user‑initiated actions that lack proper CSRF token validation, meaning an attacker could, for example, enroll a user in a course or change course settings without the user’s consent. While the severity is moderate (CVSS 4.3), the impact reaches the integrity of the LMS data and could erode trust among users.

Affected Systems

The flaw affects the Namaste! LMS plugin by Bob for WordPress versions up through 2.6.5. Any deployment of the plugin below 2.6.6 is vulnerable; newer releases are not impacted.

Risk and Exploitability

The EPSS score of less than 1% indicates that real‑world exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score reflects that the flaw requires an authenticated session with the LMS and the ability to target a particular user. Based on the description, it is inferred that the likely attack vector involves luring a legitimate user to a crafted link that submits a forged request. Because the vulnerability is not actively exploited at scale, the risk remains low, but the potential for unauthorized LMS changes remains.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bob

Namaste! LMS

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.6.5

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Namaste! LMS plugin to version 2.6.6 or higher, the release that includes the CSRF fix.
Ensure that the plugin’s CSRF token verification is enabled for all administrator and user actions; if not, manually add nonces to the relevant forms.
Restrict the exposure of sensitive LMS functionality to users with appropriate capabilities, such as disabling public enrollment features for untrusted users.

Generated by OpenCVE AI on May 2, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-4324	Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS allows Cross Site Request Forgery. This issue affects Namaste! LMS: from n/a through 2.6.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00095.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/namaste-lms/vulnerability/wordpress-namaste-lms-plugin-2-6-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS allows Cross Site Request Forgery. This issue affects Namaste! LMS: from n/a through 2.6.5.	Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS namaste-lms allows Cross Site Request Forgery.This issue affects Namaste! LMS: from n/a through <= 2.6.5.
References	https://patchstack.com/database/wordpress/plugin/namaste-lms/vulnerability/wordpress-namaste-lms-plugin-2-6-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/namaste-lms/vulnerability/wordpress-namaste-lms-plugin-2-6-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Mon, 24 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 24 Feb 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Bob Namaste! LMS allows Cross Site Request Forgery. This issue affects Namaste! LMS: from n/a through 2.6.5.
Title		WordPress Namaste! LMS Plugin <= 2.6.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/namaste-lms/vulnerability/wordpress-namaste-lms-plugin-2-6-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-02-24T14:49:25.170Z

Updated: 2026-04-28T16:11:48.829Z

Reserved: 2025-02-21T16:46:11.505Z

Link: CVE-2025-27353

Vulnrichment

Updated: 2025-02-24T15:56:04.713Z

NVD

Status : Deferred

Published: 2025-02-24T15:15:20.780

Modified: 2026-04-23T15:26:25.717

Link: CVE-2025-27353

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object