CVE-2025-30968 - Vulnerability Details

- WordPress Advanced Post List plugin <= 0.5.6.2 - Cross Site Request Forgery (CSRF) Vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List advanced-post-list allows Cross Site Request Forgery.This issue affects Advanced Post List: from n/a through <= 0.5.6.2.

Published: 2025-06-06

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic Cross‑Site Request Forgery flaw that allows an attacker to redirect a logged‑in user to perform actions without the user's consent. Because the plugin processes requests without adequate verification, an attacker with a crafted URL can trigger unwanted operations within the site that the user is authorized to perform. The weakness is classified as CWE‑352.

Affected Systems

The Advanced Post List plugin by jokerbr313, version 0.5.6.2 and earlier, is affected. Any WordPress installation that uses these versions of the plugin is susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity impact. With an EPSS score of less than 1 % the likelihood of exploitation at the current time is low, and the issue is not listed in the CISA KEV catalog. However, CSRF remains a common attack vector on authenticated users, and an attacker that can lure a legitimate user to a malicious link could trigger the vulnerability if no protective tokens or role restrictions are in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jokerbr313

Advanced Post List

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.5.6.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Advanced Post List plugin to a version newer than 0.5.6.2.
If the plugin is not required, remove or disable it entirely.
If an update cannot be applied immediately, restrict the plugin’s access to administrator-level accounts and ensure that any state‑changing actions require explicit user confirmation or a CSRF token.

Generated by OpenCVE AI on April 30, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-17224	Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List allows Cross Site Request Forgery. This issue affects Advanced Post List: from n/a through 0.5.6.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/advanced-post-list/vulnerability/wordpress-advanced-post-list-0-5-6-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List allows Cross Site Request Forgery. This issue affects Advanced Post List: from n/a through 0.5.6.2.	Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List advanced-post-list allows Cross Site Request Forgery.This issue affects Advanced Post List: from n/a through <= 0.5.6.2.
Title	WordPress Advanced Post List <= 0.5.6.2 - Cross Site Request Forgery (CSRF) Vulnerability	WordPress Advanced Post List plugin <= 0.5.6.2 - Cross Site Request Forgery (CSRF) Vulnerability
References	https://patchstack.com/database/wordpress/plugin/advanced-post-list/vulnerability/wordpress-advanced-post-list-0-5-6-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/advanced-post-list/vulnerability/wordpress-advanced-post-list-0-5-6-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Fri, 06 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Jun 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in jokerbr313 Advanced Post List allows Cross Site Request Forgery. This issue affects Advanced Post List: from n/a through 0.5.6.2.
Title		WordPress Advanced Post List <= 0.5.6.2 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/advanced-post-list/vulnerability/wordpress-advanced-post-list-0-5-6-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-06-06T12:54:08.294Z

Updated: 2026-04-28T16:12:02.209Z

Reserved: 2025-03-26T09:22:27.935Z

Link: CVE-2025-30968

Vulnrichment

Updated: 2025-06-06T15:12:28.398Z

NVD

Status : Deferred

Published: 2025-06-06T13:15:37.010

Modified: 2026-04-23T15:27:25.267

Link: CVE-2025-30968

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T18:30:16Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object