Description
Cross-Site Request Forgery (CSRF) vulnerability in digireturn Simple Fixed Notice dn-cookie-notice allows Cross Site Request Forgery.This issue affects Simple Fixed Notice: from n/a through <= 1.6.
Published: 2025-04-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CSRF) in the digireturn Simple Fixed Notice WordPress plugin allows attackers to trick authenticated users into performing unintended actions. The vulnerability, identified as a CWE‑352 weakness, permits sending crafted requests to the plugin’s endpoints while a legitimate user is logged in, potentially changing cookie notice content or settings. It enables an attacker to alter the plugin’s configuration without the user’s direct knowledge.

Affected Systems

The flaw affects the WordPress plugin digireturn Simple Fixed Notice (dn‑cookie‑notice) version 1.6 and earlier. Sites running any of those versions of the plugin are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate impact, while an EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers would likely target the plugin by directing a logged‑in user to a malicious URL or form that automatically submits to the plugin’s endpoint. No advanced prerequisites are noted; the attack path is straightforward where CSRF protection is absent.

Generated by OpenCVE AI on May 1, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade digireturn Simple Fixed Notice to the latest version that fixes the CSRF issue
  • If an update is not immediately available, disable or uninstall the plugin to eliminate the risk
  • Enable or enforce CSRF tokens for WordPress form submissions, ensuring that any POST request to the plugin’s endpoints requires a valid nonce
  • Configure a web application firewall to detect and block suspicious POST requests directed at the plugin’s sensitive URLs

Generated by OpenCVE AI on May 1, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9184 Cross-Site Request Forgery (CSRF) vulnerability in digireturn Simple Fixed Notice allows Cross Site Request Forgery. This issue affects Simple Fixed Notice: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in digireturn Simple Fixed Notice allows Cross Site Request Forgery. This issue affects Simple Fixed Notice: from n/a through 1.6. Cross-Site Request Forgery (CSRF) vulnerability in digireturn Simple Fixed Notice dn-cookie-notice allows Cross Site Request Forgery.This issue affects Simple Fixed Notice: from n/a through <= 1.6.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 01 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in digireturn Simple Fixed Notice allows Cross Site Request Forgery. This issue affects Simple Fixed Notice: from n/a through 1.6.
Title WordPress Simple Fixed Notice Plugin <= 1.6 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:14.277Z

Reserved: 2025-04-01T13:20:50.879Z

Link: CVE-2025-31840

cve-icon Vulnrichment

Updated: 2025-04-01T16:26:00.446Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:24.723

Modified: 2026-04-23T15:28:23.707

Link: CVE-2025-31840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:00:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)