Description
Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting hesabfa-accounting allows Cross Site Request Forgery.This issue affects Hesabfa Accounting: from n/a through <= 2.1.8.
Published: 2025-03-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hesabfa Accounting plugin for WordPress contains a Cross‑Site Request Forgery flaw, designated CWE‑352. The vulnerability allows a malicious site to force a logged‑in user to send requests to the plugin’s endpoints, potentially altering or creating accounting records without the user’s explicit permission. Because the exposed actions may modify financial data or perform other privileged operations, the impact can range from data corruption to inadvertent financial liability.

Affected Systems

Saeed Sattar Beglou Hesabfa Accounting plugin for WordPress, versions from the initial release through and including version 2.1.8.

Risk and Exploitability

The CVSS base score of 4.3 reflects a moderate severity for CSRF, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Exploitation requires the victim to be authenticated to the WordPress site; an attacker can craft a malicious request that the victim’s browser unknowingly submits, enabling the attacker to perform any action the user can normally execute through the plugin. The risk to each affected site depends on the plugin’s use case—if financial records are being managed, the potential damage is higher.

Generated by OpenCVE AI on May 1, 2026 at 04:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hesabfa Accounting to a version newer than 2.1.8, where the CSRF vulnerability has been fixed.
  • Enable or enforce the plugin’s nonce/CSRF token validation, ensuring that all state‑changing requests require a valid, user‑specific token.
  • Configure a web‑application firewall or security plugin to detect and block forged POST requests to the plugin’s endpoints, such as by rejecting requests without a valid Referer header or without the expected CSRF token.

Generated by OpenCVE AI on May 1, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8352 Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Cross Site Request Forgery. This issue affects Hesabfa Accounting: from n/a through 2.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Cross Site Request Forgery. This issue affects Hesabfa Accounting: from n/a through 2.1.8. Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting hesabfa-accounting allows Cross Site Request Forgery.This issue affects Hesabfa Accounting: from n/a through <= 2.1.8.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Cross Site Request Forgery. This issue affects Hesabfa Accounting: from n/a through 2.1.8.
Title WordPress Hesabfa Accounting plugin <= 2.1.8 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.947Z

Reserved: 2025-03-26T09:20:32.696Z

Link: CVE-2025-30815

cve-icon Vulnrichment

Updated: 2025-03-27T13:58:41.778Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:42.640

Modified: 2026-04-23T15:27:07.443

Link: CVE-2025-30815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:15:08Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)