Description
Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor front-editor allows Cross Site Request Forgery.This issue affects WP Front User Submit / Front Editor: from n/a through <= 5.0.6.
Published: 2025-06-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw exists in WP Front User Submit / Front Editor, versions up to 5.0.6, where missing CSRF tokens allow an attacker to submit a forged request that the plugin processes as originating from the victim. The vulnerability can lead to integrity violations, such as posting, editing, or otherwise manipulating content, depending on the victim’s privileges. Based on the description, it is inferred that any legitimate action that the authenticated user is permitted to perform could be abused when CSRF protection is absent.

Affected Systems

The flaw affects the WordPress plugin WP Front User Submit / Front Editor developed by aharonyan, specifically installations running version 5.0.6 or earlier. Users of these versions on their WordPress sites are therefore exposed to this vulnerability.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The issue is not listed in CISA KEV, implying no widespread exploitation has been reported. The likely attack vector is a web‑based CSRF: an adversary can embed a malicious link or form in a third‑party site that, when visited by an authenticated user, will cause the user’s browser to submit a forged request to the vulnerable plugin. Exploitation requires the victim to be logged in and to possess privileges that allow the targeted action, but the impact remains significant if successful.

Generated by OpenCVE AI on April 30, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Front User Submit / Front Editor to the latest version that contains the CSRF fix (if available); otherwise contact the vendor for a patched build.
  • If immediate update is not possible, restrict the plugin’s form endpoints to authenticated users only and enforce an origin‑header check to reject cross‑origin submissions.
  • Configure an application or web‑application firewall to block unexpected CSRF requests and apply role‑based access controls to limit the actions available to low‑privilege users.

Generated by OpenCVE AI on April 30, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28470 Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor allows Cross Site Request Forgery. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor allows Cross Site Request Forgery. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.4. Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor front-editor allows Cross Site Request Forgery.This issue affects WP Front User Submit / Front Editor: from n/a through <= 5.0.6.
Title WordPress WP Front User Submit / Front Editor plugin <= 4.9.4 - Cross Site Request Forgery (CSRF) Vulnerability WordPress WP Front User Submit / Front Editor plugin <= 5.0.6 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Mon, 23 Jun 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in aharonyan WP Front User Submit / Front Editor allows Cross Site Request Forgery. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.4.
Title WordPress WP Front User Submit / Front Editor plugin <= 4.9.4 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:19.135Z

Reserved: 2025-06-19T10:03:22.156Z

Link: CVE-2025-52795

cve-icon Vulnrichment

Updated: 2025-06-23T16:13:51.633Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:34.830

Modified: 2026-04-23T15:32:11.313

Link: CVE-2025-52795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:45:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)