Description
Cross-Site Request Forgery (CSRF) vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) off-canvas-sidebars allows Cross Site Request Forgery.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through <= 0.5.8.5.
Published: 2025-10-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery submitted through the Off‑Canvas Sidebars & Menus (Slidebars) plugin allows an attacker to forge authenticated requests against a target site. The weakness is a missing anti‑CSRF token requirement in plugin endpoints, categorized as CWE‑352. Successful exploitation could enable the attacker to perform actions that the authenticated user is authorized to do, such as adding or removing sidebars, thereby affecting site configuration and integrity.

Affected Systems

The affected vendor is Jory Hogeveen, whose WordPress plugin Off‑Canvas Sidebars & Menus (Slidebars) is vulnerable when installed at versions 0.5.8.5 or earlier. No other vendors or products are currently identified as affected.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity, while the EPSS score is below 1 %, suggesting low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The apparent attack vector is CSRF, meaning an attacker can trigger the vulnerable action by getting an authenticated user to visit a malicious site or link, inducing a cross‑site request that the plugin accepts without verification.

Generated by OpenCVE AI on April 29, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 0.5.8.6 or later to eliminate the CSRF flaw.
  • If an upgrade is not immediately possible, disable the plugin or remove any administrative endpoints that alter sidebar or menu configuration.
  • Implement standard WordPress CSRF protection practices such as ensuring nonces are required for state‑changing requests and that referer checks are enforced for administrative actions.

Generated by OpenCVE AI on April 29, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) off-canvas-sidebars allows Cross Site Request Forgery.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through <= 0.5.8.5.
Title WordPress Off-Canvas Sidebars & Menus (Slidebars) plugin <= 0.5.8.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.002Z

Reserved: 2025-10-24T14:24:16.560Z

Link: CVE-2025-62891

cve-icon Vulnrichment

Updated: 2025-10-27T15:21:51.946Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:48.013

Modified: 2026-04-27T18:16:27.653

Link: CVE-2025-62891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses