Description
Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core javo-core allows Authentication Bypass.This issue affects Javo Core: from n/a through <= 3.0.0.266.
Published: 2025-09-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a CSRF flaw that permits an attacker to force a victim's browser to execute actions that normally require authentication, effectively bypassing the login mechanism. The flaw is categorized as CWE-352 and can compromise the integrity and availability of the WordPress site by allowing unauthorized operations once the forgery is successful.

Affected Systems

The Javo Core plugin for WordPress, sold by javothemes, is affected in all releases through version 3.0.0.266. No further version details are listed in the CNA data. Sites using any of these vulnerable releases are at risk.

Risk and Exploitability

The CVSS score of 8.8 quantifies a high severity risk, while the EPSS score of less than 1 % indicates that, at present, active exploitation of this flaw is uncommon but still possible. Based on the description, it is inferred that the attacker must trigger a forged request from the victim’s browser; therefore the attacker requires either user interaction or another vulnerability that can coerce the browser into submitting the request. As the vulnerability is not listed in the CISA KEV catalog, it is not currently flagged as a known exploited vulnerability, but the potential impact remains significant for sites running the affected plugin.

Generated by OpenCVE AI on April 30, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Javo Core plugin to version 3.0.0.267 or later (fix is included in subsequent releases).
  • Ensure that all state‑changing endpoints in the plugin enforce the presence of a valid CSRF token (inferred from the CWE‑352 classification).
  • Restrict privileged actions to authenticated administrators and consider enforcing the SameSite=Strict attribute on session cookies to reduce CSRF risk (inferred).

Generated by OpenCVE AI on April 30, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31289 Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266. Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core javo-core allows Authentication Bypass.This issue affects Javo Core: from n/a through <= 3.0.0.266.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Javothemes
Javothemes javo Core
Wordpress
Wordpress wordpress
Vendors & Products Javothemes
Javothemes javo Core
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in javothemes Javo Core allows Authentication Bypass. This issue affects Javo Core: from n/a through 3.0.0.266.
Title WordPress Javo Core Plugin <= 3.0.0.266 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Javothemes Javo Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.890Z

Reserved: 2025-09-25T15:20:22.597Z

Link: CVE-2025-60111

cve-icon Vulnrichment

Updated: 2025-09-26T13:13:58.980Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:37.407

Modified: 2026-04-23T15:34:14.373

Link: CVE-2025-60111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:00:14Z

Weaknesses