Description
Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search fulltext-search allows Cross Site Request Forgery.This issue affects WP Fast Total Search: from n/a through <= 1.79.270.
Published: 2025-08-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw in the Epsiloncool WP Fast Total Search plugin that lets an attacker cause a logged‑in WordPress user to perform unwanted plugin actions without additional privileges. Because the plugin does not validate CSRF tokens for sensitive requests, a malicious site can send a forged request that the site accepts and carries out the change, potentially altering plugin configuration, deleting data, or other state‑changing operations.

Affected Systems

All WordPress installations running the WP Fast Total Search plugin version 1.79.270 or earlier are affected. The vendor is Epsiloncool and the plugin name is WP Fast Total Search. No minimum affected version is listed, so every version up to and including 1.79.270 should be considered vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, but the EPSS score of less than 1% means the likelihood of observed exploitation is low. The vulnerability is not currently listed in the CISA KEV catalog. The attack requires that a victim be authenticated to the target and that the attacker can cause the victim to visit a crafted URL or click a link. This is inferred from the nature of CSRF attacks and the plugin’s lack of protection.

Generated by OpenCVE AI on April 30, 2026 at 03:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Fast Total Search to a version newer than 1.79.270 that contains CSRF protection
  • Ensure that the plugin enforces anti‑CSRF tokens on all state‑changing endpoints before processing requests
  • If an immediate upgrade is not possible, restrict external requests to the plugin’s modify endpoints or add a web‑application firewall rule to block unsolicited cross‑origin POST requests

Generated by OpenCVE AI on April 30, 2026 at 03:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25516 Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search allows Cross Site Request Forgery. This issue affects WP Fast Total Search: from n/a through 1.79.270.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search allows Cross Site Request Forgery. This issue affects WP Fast Total Search: from n/a through 1.79.270. Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search fulltext-search allows Cross Site Request Forgery.This issue affects WP Fast Total Search: from n/a through <= 1.79.270.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 22 Aug 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search allows Cross Site Request Forgery. This issue affects WP Fast Total Search: from n/a through 1.79.270.
Title WordPress WP Fast Total Search Plugin <= 1.79.270 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:34:55.252Z

Reserved: 2025-08-22T11:35:36.402Z

Link: CVE-2025-57893

cve-icon Vulnrichment

Updated: 2025-08-22T12:59:17.781Z

cve-icon NVD

Status : Deferred

Published: 2025-08-22T12:15:33.023

Modified: 2026-04-23T15:32:58.113

Link: CVE-2025-57893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)