Description
Cross-Site Request Forgery (CSRF) vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Cross Site Request Forgery.This issue affects CubeWP: from n/a through <= 1.1.29.
Published: 2025-06-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises in the CubeWP plugin for WordPress, allowing an attacker to perform Cross‑Site Request Forgery attacks on all versions up to and including 1.1.29. An impersonated user or a malicious link can cause the plugin to change its configuration without the user’s consent, potentially leading to unwanted content management changes or exposure of sensitive data. The flaw is a classic CSRF weakness, identified as CWE‑352.

Affected Systems

WordPress sites running the CubeWP all‑in‑one dynamic content framework plugin, version 1.1.29 or older, created by Imran Tauqeer. Any WordPress installation that has not yet updated beyond that version is exposed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. The EPSS score is less than one per cent, showing a very low probability of exploitation, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to lure a logged‑in user to a crafted request lacking a CSRF token; therefore, the likely attack vector is a web‑based request from a compromised or spoofed session.

Generated by OpenCVE AI on May 1, 2026 at 07:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CubeWP to any available version newer than 1.1.29 if one exists.
  • Restrict access to the WordPress admin area and enable two‑factor authentication to reduce the risk of credential compromise.
  • If the plugin is no longer required, fully deactivate and delete it from the installation.

Generated by OpenCVE AI on May 1, 2026 at 07:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17235 Cross-Site Request Forgery (CSRF) vulnerability in Emraan Cheema CubeWP – All-in-One Dynamic Content Framework allows Cross Site Request Forgery. This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.23.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Emraan Cheema CubeWP – All-in-One Dynamic Content Framework allows Cross Site Request Forgery. This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.23. Cross-Site Request Forgery (CSRF) vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Cross Site Request Forgery.This issue affects CubeWP: from n/a through <= 1.1.29.
Title WordPress CubeWP – All-in-One Dynamic Content Framework plugin <= 1.1.23 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability WordPress CubeWP plugin <= 1.1.29 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Emraan Cheema CubeWP – All-in-One Dynamic Content Framework allows Cross Site Request Forgery. This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.23.
Title WordPress CubeWP – All-in-One Dynamic Content Framework plugin <= 1.1.23 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:03.353Z

Reserved: 2025-03-26T09:22:48.161Z

Link: CVE-2025-30994

cve-icon Vulnrichment

Updated: 2025-06-06T15:16:56.998Z

cve-icon NVD

Status : Deferred

Published: 2025-06-06T13:15:38.677

Modified: 2026-04-23T15:27:29.223

Link: CVE-2025-30994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:00:13Z

Weaknesses