Description
The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-06-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthenticated users to reset the plugin’s configuration
Action: Patch Now
AI Analysis

Impact

The MicroPayments – Fans Paysite plugin for WordPress suffers from a CSRF flaw caused by missing or improper nonce validation within the adminOptions() routine. This weakness exposes the plugin’s settings to unauthenticated reset by any attacker that can compound a link or button click from a logged‑in administrator. The resulting exposure can alter subscription handling, financial assets, and wallet configurations, potentially disrupting service availability and compromising sensitive content. The flaw maps to CWE‑352, the common class of cross‑site request forgery vulnerabilities.

Affected Systems

WordPress installations running the MicroPayments – Fans Paysite plugin from videowhisper, from version 3.2.0 and earlier, are affected. Any site deploying these plugin versions is at risk until the configuration is updated.

Risk and Exploitability

With a CVSS score of 4.3 the flaw presents moderate severity. The EPSS score of less than 1% indicates a very low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been commonly leveraged. Attackers can exploit this by luring an administrator into clicking a malicious link that sends a forged request containing the required administrative session cookie, thereby resetting the plugin settings. No specialized resources or elevated privileges are required beyond the targeted administrator’s credentials.

Generated by OpenCVE AI on April 21, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MicroPayments – Fans Paysite plugin to the latest released version, which includes proper nonce validation.
  • If an immediate upgrade is not feasible, disable access to the adminOptions endpoint (e.g., via .htaccess or a firewall rule) to prevent accidental resets.
  • Deploy a Web Application Firewall or security plugin that detects and blocks CSRF requests targeting the plugin’s settings URLs.
  • Audit the site’s current configuration and confirm no residual settings have been left exposed after the reset.
  • Educate administrators to avoid clicking unknown links and to verify URLs before clicking.

Generated by OpenCVE AI on April 21, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19575 The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Videowhisper
Videowhisper micropayments
CPEs cpe:2.3:a:videowhisper:micropayments:*:*:*:*:*:wordpress:*:*
Vendors & Products Videowhisper
Videowhisper micropayments

Mon, 30 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet <= 3.2.0 - Cross-Site Request Forgery to Settings Reset
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Videowhisper Micropayments
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:42.452Z

Reserved: 2025-06-09T15:40:57.508Z

Link: CVE-2025-5937

cve-icon Vulnrichment

Updated: 2025-06-30T18:33:02.436Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-28T08:15:25.143

Modified: 2025-07-08T14:46:09.287

Link: CVE-2025-5937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses