Description
Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through <= 1.0.3.
Published: 2025-05-16
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic CSRF flaw that allows an attacker to force a logged‑in WordPress user to submit crafted requests to the Pixel WordPress Form BuilderPlugin & Autoresponder. By exploiting this, an attacker can perform any action that the victim is authenticated to perform, such as altering form settings, deleting forms, or redirecting traffic. The weakness is identified as CWE‑352, marking it as a failure of protection against tampered requests that can result in unauthorized operations.

Affected Systems

The flaw affects the Pixel WordPress Form BuilderPlugin & Autoresponder plugin for all releases through version 1.0.3, any WordPress installation running these versions is potentially vulnerable. Users with versions 1.0.2 or earlier are likewise exposed.

Risk and Exploitability

The CVSS score of 5.4 places this vulnerability in the moderate range. The EPSS score is less than 1%, indicating a very low probability of exploitation in the wild at the time of this analysis. The vulnerability is not listed in CISA's KEV catalog, further suggesting limited exploitation activity. The likely attack vector is a malicious web page or link that tricks a logged‑in visitor into sending a forged request to the plugin endpoint, leveraging the lack of a valid nonce or token.

Generated by OpenCVE AI on May 2, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pixel WordPress Form BuilderPlugin & Autoresponder to the latest version released by the vendor, which should include CSRF protection.
  • If an update is not immediately available or the plugin is not needed, completely disable or uninstall the plugin to eliminate the attack surface.
  • Configure a firewall or security plugin to block any POST or GET requests to the plugin’s endpoint that lack a valid WordPress nonce or referer header, thereby mitigating the CSRF attack path.

Generated by OpenCVE AI on May 2, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15472 Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Cross Site Request Forgery. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Cross Site Request Forgery. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2. Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder pixel-formbuilder allows Cross Site Request Forgery.This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through <= 1.0.3.
Title WordPress Pixel WordPress Form BuilderPlugin & Autoresponder <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Pixel Form BuilderPlugin & Autoresponder plugin <= 1.0.3 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Cross Site Request Forgery. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.
Title WordPress Pixel WordPress Form BuilderPlugin & Autoresponder <= 1.0.2 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.270Z

Reserved: 2025-04-01T13:21:47.738Z

Link: CVE-2025-31915

cve-icon Vulnrichment

Updated: 2025-05-16T16:41:02.753Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:37.817

Modified: 2026-04-23T15:28:32.583

Link: CVE-2025-31915

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)