Description
Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe ziplist-recipe-plugin allows Cross Site Request Forgery.This issue affects ZipList Recipe: from n/a through <= 3.1.
Published: 2025-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw in the ZipList Recipe plugin for WordPress, affecting all releases up to and including version 3.1. It permits an attacker to trigger the plugin to carry out privileged actions on behalf of a user who is authenticated to the site, potentially altering or deleting content. The flaw is identified by CWE‑352 and could enable unauthorized changes without the user’s consent.

Affected Systems

Affected systems comprise the WordPress ZipList Recipe plugin developed by Condenast. The plugin is vulnerable in all releases up to and including version 3.1. Upgrading to a newer release eliminates the flaw.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. The EPSS score is below 1 %, suggesting a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires the target user to be logged into the site and a malicious page to issue a crafted request, which could be achieved via an innocuous link or image. Because no confirmed exploits have been reported, the risk level is moderate but the probability is low.

Generated by OpenCVE AI on May 2, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ZipList Recipe plugin to the latest available release (3.2 or newer) where the CSRF issue is patched.
  • After upgrading, verify that only users with administrative privileges can access the plugin’s state‑changing endpoints.
  • If an immediate upgrade cannot be performed, disable the plugin or block its external endpoints using a security plugin or firewall rules until a patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7837 Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe allows Cross Site Request Forgery. This issue affects ZipList Recipe: from n/a through 3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe allows Cross Site Request Forgery. This issue affects ZipList Recipe: from n/a through 3.1. Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe ziplist-recipe-plugin allows Cross Site Request Forgery.This issue affects ZipList Recipe: from n/a through <= 3.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00024}

 epss

{'score': 0.00034}

Wed, 19 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Condenast
Condenast ziplist Recipe
CPEs cpe:2.3:a:ziplist:recipes:*:*:*:*:*:wordpress:*:* cpe:2.3:a:condenast:ziplist_recipe:*:*:*:*:*:wordpress:*:*
Vendors & Products Ziplist
Ziplist recipes
Condenast
Condenast ziplist Recipe

Wed, 19 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Ziplist
Ziplist recipes
CPEs cpe:2.3:a:ziplist:recipes:*:*:*:*:*:wordpress:*:*
Vendors & Products Ziplist
Ziplist recipes

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in ZipList ZipList Recipe allows Cross Site Request Forgery. This issue affects ZipList Recipe: from n/a through 3.1.
Title WordPress ZipList Recipe plugin <= 3.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Condenast Ziplist Recipe
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.314Z

Reserved: 2025-03-11T08:08:49.774Z

Link: CVE-2025-28868

cve-icon Vulnrichment

Updated: 2025-03-12T14:07:57.246Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:44.283

Modified: 2026-04-23T15:26:28.333

Link: CVE-2025-28868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:45:33Z

Weaknesses