Description
Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a.
Published: 2025-03-28
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic CSRF flaw (CWE‑352) that allows an attacker to submit state‑changing requests on behalf of a logged‑in user. Because the plugin does not perform proper verification of authenticated requests, any action that requires user privileges (such as updating settings or clearing caches) could be performed without the user’s consent. The impact does not include remote code execution but can lead to unauthorized configuration changes or other privileged actions on the WordPress site.

Affected Systems

The WordPress plugin Browser Caching with .htaccess, developed by tobias_.MerZ, is affected. All releases from version 1.2.1 onward are vulnerable; earlier versions are not known to contain this flaw.

Risk and Exploitability

The CVSS score is 5.4, indicating a moderate severity. The EPSS score is reported as <1 %, suggesting that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a typical CSRF scenario: an attacker must trick an authenticated user into visiting a malicious page or triggering a crafted request that the plugin accepts as a legitimate request. This inference is drawn from the nature of the vulnerability and known CSRF patterns.

Generated by OpenCVE AI on May 2, 2026 at 02:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Browser Caching with .htaccess to the latest released version or apply any vendor‑provided patch that addresses the CSRF flaw.
  • If a patched version is not available, consider removing or disabling the plugin entirely or restricting its functionality to non‑administrative contexts.
  • Add a CSRF protection mechanism, such as a security plugin that enforces nonce checks for all state‑changing WordPress actions, which mitigates the underlying weakness (CWE‑352).

Generated by OpenCVE AI on May 2, 2026 at 02:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8610 Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess browser-caching-with-htaccess allows Cross Site Request Forgery.This issue affects Browser Caching with .htaccess: from n/a through 1.2.1. Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a.
Title WordPress Browser Caching with .htaccess 1.2.1 plugin - Cross Site Request Forgery (CSRF) Vulnerability WordPress Browser Caching with .htaccess 1.2.1 - Cross Site Request Forgery (CSRF) Vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a. Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess browser-caching-with-htaccess allows Cross Site Request Forgery.This issue affects Browser Caching with .htaccess: from n/a through 1.2.1.
Title WordPress Browser Caching with .htaccess 1.2.1 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Browser Caching with .htaccess 1.2.1 plugin - Cross Site Request Forgery (CSRF) Vulnerability
References

Fri, 28 Mar 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Mar 2025 12:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a.
Title WordPress Browser Caching with .htaccess 1.2.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:07.194Z

Reserved: 2025-03-28T11:00:31.359Z

Link: CVE-2025-31439

cve-icon Vulnrichment

Updated: 2025-03-28T12:37:40.261Z

cve-icon NVD

Status : Deferred

Published: 2025-03-28T12:15:16.630

Modified: 2026-04-28T19:31:03.670

Link: CVE-2025-31439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses