Description
Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds simple-feed-stats allows Cross Site Request Forgery.This issue affects Simple Statistics for Feeds: from n/a through <= 20250322.
Published: 2025-08-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Statistics for Feeds plugin contains a CSRF weakness that allows an attacker to craft a request that is executed under the identity of a logged‑in user. A victim who visits a malicious page while authenticated to the target WordPress site can trigger the insecure operation, potentially altering plugin settings, data, or other site content. The flaw is identified as CWE-352 and carries a moderate CVSS score of 4.3.

Affected Systems

WordPress plugin "Simple Statistics for Feeds" by Jeff Starr, versions up through and including 20250322, are affected.

Risk and Exploitability

The CVSS score of 4.3 suggests moderate severity, while the EPSS score below 1 percent indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit is known. Attackers would need a victim who is authenticated on the target site and a vector to embed or trigger the forged request, making it a user‑dependent, low‑visibility attack.

Generated by OpenCVE AI on April 30, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple Statistics for Feeds plugin to a version newer than 20250322.
  • If an updated version is unavailable, temporarily deactivate or uninstall the plugin until a fix is released.
  • Implement site‑wide CSRF defenses by ensuring all form and AJAX endpoints use unique, hidden tokens and by validating the Referer or Origin header.

Generated by OpenCVE AI on April 30, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25515 Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds allows Cross Site Request Forgery. This issue affects Simple Statistics for Feeds: from n/a through 20250322.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds allows Cross Site Request Forgery. This issue affects Simple Statistics for Feeds: from n/a through 20250322. Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds simple-feed-stats allows Cross Site Request Forgery.This issue affects Simple Statistics for Feeds: from n/a through <= 20250322.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Sun, 24 Aug 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Jeff Starr
Jeff Starr simple Statistics For Feeds
Wordpress
Wordpress wordpress
Vendors & Products Jeff Starr
Jeff Starr simple Statistics For Feeds
Wordpress
Wordpress wordpress

Fri, 22 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds allows Cross Site Request Forgery. This issue affects Simple Statistics for Feeds: from n/a through 20250322.
Title WordPress Simple Statistics for Feeds Plugin <= 20250322 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Jeff Starr Simple Statistics For Feeds
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.666Z

Reserved: 2025-08-22T11:35:36.402Z

Link: CVE-2025-57892

cve-icon Vulnrichment

Updated: 2025-08-22T12:59:48.268Z

cve-icon NVD

Status : Deferred

Published: 2025-08-22T12:15:32.843

Modified: 2026-04-23T15:32:58.000

Link: CVE-2025-57892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses