Description
Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy tm-replace-howdy allows Cross Site Request Forgery.This issue affects TM Replace Howdy: from n/a through <= 1.4.2.
Published: 2025-06-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TM Replace Howdy WordPress plugin contains a Cross‑Site Request Forgery flaw that can allow an attacker to trick an authenticated user into performing unwanted actions on the site. The flaw exists in all releases up to and including 1.4.2 and is known as CWE‑352. An unauthenticated attacker cannot directly exploit it, but anyone who can persuade an authenticated user to visit a crafted URL could change site settings, delete content, or otherwise compromise the site’s integrity and availability.

Affected Systems

The vulnerability is present in the TM Replace Howdy plugin distributed by David Wood. All versions from the earliest release through 1.4.2 are affected. Updated versions released after 1.4.2 are not impacted.

Risk and Exploitability

The CVSS score of 4.3 rates the issue as moderate. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack path requires an authenticated user to execute a crafted request, often via a spoofed link or form. When the target user follows the link the request is sent with the victim’s authentication cookies, causing the plugin to perform the unwanted action without any additional checks.

Generated by OpenCVE AI on April 30, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TM Replace Howdy plugin to the latest available version (vuln fixed after 1.4.2)
  • If an upgrade is not possible, deactivate or uninstall the plugin to remove the CSRF vector
  • Block access to the plugin’s admin URLs or implement CSRF token verification for actions executed through the plugin
  • Continuously review the site’s access logs for suspicious requests that could indicate attempted exploitation

Generated by OpenCVE AI on April 30, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18940 Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2. Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy tm-replace-howdy allows Cross Site Request Forgery.This issue affects TM Replace Howdy: from n/a through <= 1.4.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 23 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in David Wood TM Replace Howdy allows Cross Site Request Forgery. This issue affects TM Replace Howdy: from n/a through 1.4.2.
Title WordPress TM Replace Howdy plugin <= 1.4.2 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:25:00.264Z

Reserved: 2025-06-11T16:07:41.545Z

Link: CVE-2025-49972

cve-icon Vulnrichment

Updated: 2025-06-23T20:55:33.289Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:22.463

Modified: 2026-04-23T15:31:53.890

Link: CVE-2025-49972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:30:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)