Description
Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways giveasap allows Cross Site Request Forgery.This issue affects Simple Giveaways: from n/a through <= 2.49.0.
Published: 2025-05-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Simple Giveaways is affected by a CSRF flaw that lets a malicious web page create forged requests to the plugin’s administrative endpoints. An attacker can trigger actions that the visitor performed without their consent, potentially altering giveaway settings or permissions. The weakness hinges on insufficient origin validation (CWE‑352).

Affected Systems

WordPress sites running Igor Benic’s Simple Giveaways plugin versions up to and including 2.49.0 are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending a forged POST request from a malicious site; no authentication or elevated privileges are required beyond those of the targeted user. Once triggered, the impact is limited to the affected plugin’s configuration and does not expose the operating system or database directly.

Generated by OpenCVE AI on April 30, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a version of Simple Giveaways newer than 2.49.0 that includes the CSRF countermeasure.
  • If an upgrade cannot be performed immediately, restrict access to the giveaway configuration pages to administrators only, for example by applying a role‑based restriction rule or a custom rewrite rule.
  • Deploy a web‑application‑firewall rule that blocks POST requests to giveaway administrative URLs unless a valid nonce or referer header is present.

Generated by OpenCVE AI on April 30, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13771 Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways allows Cross Site Request Forgery. This issue affects Simple Giveaways: from n/a through 2.48.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways allows Cross Site Request Forgery. This issue affects Simple Giveaways: from n/a through 2.48.2. Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways giveasap allows Cross Site Request Forgery.This issue affects Simple Giveaways: from n/a through <= 2.49.0.
Title WordPress Simple Giveaways <= 2.48.2 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Simple Giveaways plugin <= 2.49.0 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.0002}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways allows Cross Site Request Forgery. This issue affects Simple Giveaways: from n/a through 2.48.2.
Title WordPress Simple Giveaways <= 2.48.2 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.889Z

Reserved: 2025-05-07T10:44:26.562Z

Link: CVE-2025-47606

cve-icon Vulnrichment

Updated: 2025-05-07T17:19:35.663Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:13.983

Modified: 2026-04-23T15:30:35.877

Link: CVE-2025-47606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:30:15Z

Weaknesses