Description
Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1.
Published: 2025-09-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Helmut Wandl Advanced Settings plugin versions 3.1.1 and earlier contain a Cross‑Site Request Forgery vulnerability (CWE‑352). The flaw permits an attacker to trick a logged‑in WordPress user into submitting unwanted requests that alter plugin settings or trigger other privileged actions. While the description does not detail the exact payload, such a flaw can lead to unintended configuration changes, potential privilege escalation, and a compromise of the site’s integrity.

Affected Systems

WordPress sites that have the Helmut Wandl Advanced Settings plugin installed with a version of 3.1.1 or earlier are affected. Administrators, editors, or any user with sufficient privileges who could be led to visit a crafted URL could be exploited.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Credentialed attackers can trigger the flaw by having a victim user supply a malicious link. Because the exploitation requires an authenticated and potentially active session, the attack surface is limited but still significant for sites that rely on this plugin for configuration.

Generated by OpenCVE AI on April 30, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Helmut Wandl Advanced Settings plugin to a version where the CSRF issue has been fixed. If an official patch is unavailable, postpone new installations and plan an upgrade as soon as one is released.
  • Restrict access to the Advanced Settings administrative pages to a minimal set of trusted roles and enforce strict authentication checks before any state‑changing actions are accepted.
  • Verify that all state‑changing requests use WordPress nonce fields to protect against CSRF. If the plugin does not implement nonces, apply a temporary fix or disable the vulnerability‑prone functions until an official patch is available.

Generated by OpenCVE AI on April 30, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27289 Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.1.1. Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.1.1.
Title WordPress Advanced Settings Plugin <= 3.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.829Z

Reserved: 2025-09-06T04:45:16.549Z

Link: CVE-2025-58975

cve-icon Vulnrichment

Updated: 2025-09-09T17:10:54.422Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:16:11.163

Modified: 2026-04-23T15:33:58.623

Link: CVE-2025-58975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses