Description
Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue affects Epicwin Plugin: from n/a through <= 1.5.
Published: 2025-06-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in Webaholicson Epicwin Plugin allows attackers to inject arbitrary SQL commands into the database. The vulnerability permits execution of SQL statements without proper authentication, enabling unauthorized data manipulation or exposure. This weakness is identified as CWE‑352.

Affected Systems

The plugin versions 1.5 and all earlier releases of Webaholicson Epicwin Plugin for WordPress are vulnerable. No fixed version has been released to date. The issue applies to all installations that have the vulnerable plugin enabled.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while an EPSS < 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by tricking a logged‑in user into clicking a crafted link or form that the plugin does not validate for CSRF, leading to SQL injection via CSRF. Based on the description, it is inferred that the likely attack vector is tricking a logged‑in user into clicking a crafted link or form that the plugin does not validate for CSRF.

Generated by OpenCVE AI on May 2, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Epicwin Plugin to the latest version that removes the CSRF flaw and SQL injection vulnerability.
  • If an update is not available, consider deactivating or uninstalling the plugin until a fix is released.
  • Add a server‑side CSRF token or referer validation to all state‑changing requests handled by the plugin.
  • Restrict access to the plugin's administrative pages to trusted IP addresses or network zones to reduce exposure.

Generated by OpenCVE AI on May 2, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17177 Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin allows SQL Injection. This issue affects Epicwin Plugin: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin allows SQL Injection. This issue affects Epicwin Plugin: from n/a through 1.5. Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin epicwin-subscribers allows SQL Injection.This issue affects Epicwin Plugin: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Fri, 06 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin allows SQL Injection. This issue affects Epicwin Plugin: from n/a through 1.5.
Title WordPress Epicwin Plugin plugin <= 1.5 - CSRF to SQL Injection vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.292Z

Reserved: 2025-03-11T08:10:44.966Z

Link: CVE-2025-28986

cve-icon Vulnrichment

Updated: 2025-06-06T16:10:32.502Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:29.443

Modified: 2026-06-17T09:05:00.090

Link: CVE-2025-28986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)