Description
Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.5.
Published: 2025-06-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Esselink.nu Settings is a CSRF flaw that also permits reflected XSS, enabling an attacker to coerce a legitimate user into submitting requests that execute unintended actions or inject malicious scripts; the weakness is identified as CWE‑352, indicating a failure to adequately check the origin of state‑changing requests

Affected Systems

Any WordPress site running Esselink.nu Settings version 4.5 or earlier is susceptible; the vulnerability applies from the earliest version available through version 4.5

Risk and Exploitability

The CVSS score is 7.1, reflecting a high potential for exploitation, but the EPSS score of less than 0.01% suggests low likelihood of widespread attack; the vulnerability is not listed in CISA KEV, indicating no known large‑scale exploitation, and the attack vector is likely a crafted HTTP request requiring the victim to click a link or visit a malicious page

Generated by OpenCVE AI on April 30, 2026 at 11:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Esselink.nu Settings plugin to the latest version that includes the CSRF fix
  • If an update is unavailable, restrict or disable the plugin’s administrative endpoints to prevent unauthenticated requests
  • Apply a security plugin or web application firewall that validates CSRF tokens for all state‑changing admin actions

Generated by OpenCVE AI on April 30, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28468 Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.6. Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.5.
Title WordPress Esselink.nu Settings plugin <= 4.6 - Cross Site Request Forgery (CSRF) vulnerability WordPress Esselink.nu Settings plugin <= 4.5 - Cross Site Request Forgery (CSRF) vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.5. Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.6.
Title WordPress Esselink.nu Settings plugin <= 4.5 - Cross Site Request Forgery (CSRF) vulnerability WordPress Esselink.nu Settings plugin <= 4.6 - Cross Site Request Forgery (CSRF) vulnerability
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94. Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings esselinknu-settings allows Reflected XSS.This issue affects Esselink.nu Settings: from n/a through <= 4.5.
Title WordPress Esselink.nu Settings plugin <= 2.94 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Esselink.nu Settings plugin <= 4.5 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 24 Jun 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Esselink.nu Settings allows Reflected XSS. This issue affects Esselink.nu Settings: from n/a through 2.94.
Title WordPress Esselink.nu Settings plugin <= 2.94 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:18.975Z

Reserved: 2025-06-19T10:03:22.155Z

Link: CVE-2025-52793

cve-icon Vulnrichment

Updated: 2025-06-23T16:13:40.328Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:34.537

Modified: 2026-04-28T19:33:27.620

Link: CVE-2025-52793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:15:35Z

Weaknesses