Description
Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer di-themes-demo-site-importer allows Cross Site Request Forgery.This issue affects Di Themes Demo Site Importer: from n/a through <= 1.2.
Published: 2025-09-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CSRF) that allows an attacker to trigger the activation of the Di Themes Demo Site Importer plugin without the site administrator’s consent. This could enable the attacker to install and activate the plugin, potentially opening the door to additional exploitation if the activated plugin contains further flaws. The weakness mapped to CWE‑352 indicates the lack of proper anti‑CSRF mechanisms for the activation endpoint.

Affected Systems

WordPress installations that have Di Themes Demo Site Importer version 1.2 or earlier. The affected vendor is Di Themes, and the product is the Demo Site Importer plugin. Any site whose WordPress environment includes that plugin in a version <=1.2 is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 reflects moderate risk, but the EPSS score of <1% suggests that exploitation is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires a user to be authenticated as an administrator on the target site and then visit an attacker‑controlled page that submits a request to activate the plugin. Once activated, the plugin’s functionality could be leveraged for further attacks if other weaknesses exist.

Generated by OpenCVE AI on April 30, 2026 at 00:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Di Themes Demo Site Importer to a version newer than 1.2 to eliminate the CSRF flaw.
  • Disable plugin activation permissions for non‑administrator roles to limit the impact of potential unauthorized activations.
  • Audit current installations for the presence of this plugin version and remove it if it cannot be upgraded promptly.

Generated by OpenCVE AI on April 30, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31314 Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2. Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer di-themes-demo-site-importer allows Cross Site Request Forgery.This issue affects Di Themes Demo Site Importer: from n/a through <= 1.2.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Di Themes Di Themes Demo Site Importer allows Cross Site Request Forgery. This issue affects Di Themes Demo Site Importer: from n/a through 1.2.
Title WordPress Di Themes Demo Site Importer plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Plugin Activation vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.392Z

Reserved: 2025-09-06T04:44:19.610Z

Link: CVE-2025-58914

cve-icon Vulnrichment

Updated: 2025-09-26T14:06:05.044Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:32.630

Modified: 2026-04-23T15:33:52.027

Link: CVE-2025-58914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses