Description
Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page feather-login-page allows Cross Site Request Forgery.This issue affects Feather Login Page: from n/a through <= 1.1.7.
Published: 2025-12-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery (CWE‑352) is reported in the Feather Login Page plugin. The flaw permits a malicious site to trick a logged‑in WordPress user into sending authenticated requests to the plugin. Because the plugin does not verify user intent, an attacker can cause the user to execute any operation the plugin supports without the user’s explicit permission. The CVSS score of 4.3 reflects a moderate impact due to the potential for unauthorized plugin actions.

Affected Systems

All installations of PluginOps Feather Login Page through version 1.1.7 are affected. No newer releases have been confirmed to contain a fix.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a low likelihood of exploitation in the wild, and the issue is not cataloged by CISA in KEV. Exploitation requires that a user be authenticated to WordPress and that the attacker successfully entice the user to submit a forged request from a malicious site or crafted payload. Consequently, the risk is primarily to those users who visit untrusted web content while logged into the site, characterizing the threat as a low‑probability, moderate‑severity internal compromise scenario.

Generated by OpenCVE AI on April 29, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the WordPress plugin repository or PluginOps website for a newer Feather Login Page release and install the latest version to eliminate the CSRF flaw.
  • If an update cannot be applied immediately, disable or uninstall the plugin to remove the vulnerability from the site.
  • Add CSRF protection tokens or enforce the SameSite attribute on cookies used by the plugin to reduce the chance of successful forged requests.

Generated by OpenCVE AI on April 29, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page allows Cross Site Request Forgery.This issue affects Feather Login Page: from n/a through 1.1.7. Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page feather-login-page allows Cross Site Request Forgery.This issue affects Feather Login Page: from n/a through <= 1.1.7.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Pluginops
Pluginops feather Login Page
Wordpress
Wordpress wordpress
Vendors & Products Pluginops
Pluginops feather Login Page
Wordpress
Wordpress wordpress

Mon, 22 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Dec 2025 09:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page allows Cross Site Request Forgery.This issue affects Feather Login Page: from n/a through 1.1.7.
Title WordPress Feather Login Page plugin <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Pluginops Feather Login Page
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:01.739Z

Reserved: 2025-10-07T15:41:20.865Z

Link: CVE-2025-62107

cve-icon Vulnrichment

Updated: 2025-12-22T13:45:08.791Z

cve-icon NVD

Status : Deferred

Published: 2025-12-22T10:16:00.873

Modified: 2026-04-23T15:34:33.310

Link: CVE-2025-62107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:15:16Z

Weaknesses