Description
Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5.
Published: 2025-12-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw enables an attacker to trick an authenticated WordPress user into submitting a request that the plugin processes, potentially changing user settings or data without the user’s consent. This flaw is a type‑352 weakness and does not provide direct code execution, but it allows the attacker to perform actions that the authenticated user is authorized to do.

Affected Systems

WordPress installations using the Quick Interest Slider plugin version 3.1.5 or earlier are vulnerable. The issue affects all configurations of the plugin available from the vendor Graham through the specified version threshold.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as moderate in base severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve social engineering or malicious links that cause the victim to visit a crafted URL while logged into the site, leveraging the lack of proper nonce verification.

Generated by OpenCVE AI on April 29, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quick Interest Slider to version 3.1.6 or later.
  • If an upgrade is not possible, disable or delete the Quick Interest Slider plugin until a patch is available.
  • Implement or confirm that WordPress nonce and CSRF mitigation measures are active for all plugin endpoints.

Generated by OpenCVE AI on April 29, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Graham Quick Interest Slider quick-interest-slider allows Cross Site Request Forgery.This issue affects Quick Interest Slider: from n/a through <= 3.1.5.
Title WordPress Quick Interest Slider plugin <= 3.1.5 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:11.750Z

Reserved: 2025-10-29T03:08:07.245Z

Link: CVE-2025-64237

cve-icon Vulnrichment

Updated: 2025-12-16T18:57:12.098Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:53.110

Modified: 2026-04-27T16:16:36.233

Link: CVE-2025-64237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses