Description
Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10.
Published: 2025-09-09
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CWE‑352) is present in Frenify Mow theme versions up to 4.10. The flaw permits an attacker to inject code on a vulnerable WordPress site by tricking a logged‑in administrator into submitting a forged request. The injected code would run with the privileges of that administrator. Based on the description, it is inferred that such code could potentially lead to further compromise, but the exact scope depends on the code executed and the site configuration.

Affected Systems

Affecting WordPress sites that use the Frenify Mow theme version 4.10 or earlier, any installation that has not been updated to a newer release remains vulnerable. The vulnerability applies to all theme files that handle state‑changing requests without proper CSRF protection.

Risk and Exploitability

With a CVSS score of 9.6 the flaw is considered critical, while an EPSS score of less than 1% suggests that exploitation cases have not been observed. The vulnerability is not listed in the CISA KEV catalog. Based on standard CSRF characteristics, an attacker would need an authenticated session or would have to trick a logged‑in user into sending a forged request; this is inferred from the description. Even though the likelihood is low, the high severity warrants prompt remediation.

Generated by OpenCVE AI on April 30, 2026 at 06:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mow theme to the latest release that removes the CSRF flaw or update WordPress core and other plugins to their latest versions.
  • If the upgrade cannot be performed immediately, deactivate or uninstall the Mow theme to prevent the vulnerable code from executing.
  • As a temporary workaround, ensure that all forms and state‑changing actions in the theme implement proper WordPress nonces or similar CSRF checks that validate the request origin before executing code.

Generated by OpenCVE AI on April 30, 2026 at 06:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27407 Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10. Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow mow allows Code Injection.This issue affects Mow: from n/a through <= 4.10.
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Frenify Mow allows Code Injection. This issue affects Mow: from n/a through 4.10.
Title WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:51.884Z

Reserved: 2025-09-06T04:45:29.150Z

Link: CVE-2025-58997

cve-icon Vulnrichment

Updated: 2025-09-09T18:39:49.816Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:16:14.427

Modified: 2026-04-23T15:34:01.170

Link: CVE-2025-58997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses