Description
Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher – Downgrade or Upgrade WP Versions Easily ris-version-switcher allows Cross Site Request Forgery.This issue affects RIS Version Switcher – Downgrade or Upgrade WP Versions Easily: from n/a through <= 1.0.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in a WordPress plugin that lets administrators switch the WordPress core version. An attacker can submit a crafted HTTP request that the plugin processes without verifying the origin, allowing the non‑authenticated website to perform a version downgrade or upgrade. This can lead to exposure of security holes, configuration drift, or execution of unfiltered code if an older, vulnerable WordPress release is chosen. The weakness is a classic CSRF flaw (CWE‑352).

Affected Systems

The issue affects the RIS Version Switcher – Downgrade or Upgrade WP Versions Easily plugin developed by Md Taufiqur Rahman. Any WordPress site that has this plugin installed and running any version up to and including 1.0 is affected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not listed in CISA's KEV catalog. An attacker would need to trick a logged‑in user with sufficient privileges into visiting a malicious site that sends a forged request to the plugin’s endpoint; no direct network attack is required. If the victim is an administrator, the crawler can change the core WordPress version and potentially introduce security weaknesses.

Generated by OpenCVE AI on April 30, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RIS Version Switcher plugin to the latest version or remove it if not needed
  • Require that only users with the Administrator role can initiate a version change, or disable the switcher functionality entirely until a patch is available
  • Add CSRF protection to the plugin’s version change form, such as a WordPress nonce, to prevent forged requests
  • Use a role‑based access control plugin to block non‑admin users from accessing the switcher interface

Generated by OpenCVE AI on April 30, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30723 Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily allows Cross Site Request Forgery. This issue affects RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily: from n/a through 1.0.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily ris-version-switcher allows Cross Site Request Forgery.This issue affects RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily: from n/a through <= 1.0. Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher – Downgrade or Upgrade WP Versions Easily ris-version-switcher allows Cross Site Request Forgery.This issue affects RIS Version Switcher – Downgrade or Upgrade WP Versions Easily: from n/a through <= 1.0.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily allows Cross Site Request Forgery. This issue affects RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily: from n/a through 1.0. Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily ris-version-switcher allows Cross Site Request Forgery.This issue affects RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Tue, 23 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Md Taufiqur Rahman RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily allows Cross Site Request Forgery. This issue affects RIS Version Switcher &#8211; Downgrade or Upgrade WP Versions Easily: from n/a through 1.0.
Title WordPress RIS Version Switcher – Downgrade or Upgrade WP Versions Easily Plugin <= 1.0 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.964Z

Reserved: 2025-08-22T11:35:51.303Z

Link: CVE-2025-57902

cve-icon Vulnrichment

Updated: 2025-09-23T20:31:14.683Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:45.730

Modified: 2026-04-28T19:33:55.290

Link: CVE-2025-57902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:45:24Z

Weaknesses