Description
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Cross Site Request Forgery.This issue affects CM Answers: from n/a through <= 3.3.3.
Published: 2025-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CM Answers plugin for WordPress contains a Cross‑Site Request Forgery flaw that allows an attacker to trick a logged‑in user into performing unintended actions without their knowledge. This weakness arises from missing or ineffective CSRF protection when handling state‑changing requests, and it correlates with CWE-352. While the CVSS score of 4.3 indicates a moderate severity, the flaw can compromise the integrity of data or the functionality of the website by exploiting authenticated users' sessions.

Affected Systems

All installations of CreativeMindsSolutions CM Answers for WordPress from the earliest release up to and including version 3.3.3 are vulnerable. Administrators should verify the plugin version and upgrade if necessary.

Risk and Exploitability

With an EPSS score below 1 % the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. However, the attack vector is inferred to be user‑interaction based: an attacker hosts a malicious page that submits a forged request to the target site, relying on the victim's authenticated session cookies. Successful exploitation would allow unauthorized changes to content, configuration, or access rights, depending on the sensitive actions protected by the plugin.

Generated by OpenCVE AI on April 30, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CM Answers plugin to at least version 3.3.4 or later where the CSRF issue is fixed.
  • If an immediate update is not possible, disable or remove the CM Answers plugin from the site to eliminate the attack surface.
  • Implement a site‑wide CSRF protection mechanism or validate the presence and legitimacy of CSRF tokens on all state‑changing requests, following best practices for WordPress plugin development.

Generated by OpenCVE AI on April 30, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12320 Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers allows Cross Site Request Forgery. This issue affects CM Answers: from n/a through 3.3.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers allows Cross Site Request Forgery. This issue affects CM Answers: from n/a through 3.3.3. Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Cross Site Request Forgery.This issue affects CM Answers: from n/a through <= 3.3.3.
Title WordPress CM Answers <= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability WordPress CM Answers plugin <= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 29 Apr 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Cminds
Cminds cm Answers
CPEs cpe:2.3:a:cminds:cm_answers:*:*:*:*:*:wordpress:*:*
Vendors & Products Cminds
Cminds cm Answers

Tue, 22 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Apr 2025 10:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers allows Cross Site Request Forgery. This issue affects CM Answers: from n/a through 3.3.3.
Title WordPress CM Answers <= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Cminds Cm Answers
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.078Z

Reserved: 2025-04-22T09:21:43.074Z

Link: CVE-2025-46246

cve-icon Vulnrichment

Updated: 2025-04-22T16:08:37.501Z

cve-icon NVD

Status : Modified

Published: 2025-04-22T10:15:18.953

Modified: 2026-04-23T15:29:56.803

Link: CVE-2025-46246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses