Description
Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑site request forgery in jegtheme's JNews Paywall plugin for WordPress permits an attacker to induce an authenticated site user to perform unauthorized actions, such as altering content or adjusting settings. The vulnerability stems from insufficient validation of incoming requests, allowing maliciously crafted submissions to be executed as if submitted by the legitimate user. This can compromise the integrity and availability of site content and configuration.

Affected Systems

The flaw impacts jegtheme’s JNews Paywall plugin on all WordPress installations running any version earlier than 12.0.1. Site administrators should verify the installed plugin version and identify whether the installation remains within the vulnerable range.

Risk and Exploitability

The CVSS base score of 4.3 reflects a moderate risk that requires user interaction. The EPSS score of less than 1 percent indicates a low probability of mass exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers typically need to draw a logged‑in user or a visitor who can be sent a crafted request; based on the description, it is inferred that the vulnerability requires an authenticated user, and such requests may be transmitted via a malicious hyperlink or embedded form that persuades the browser to submit the forged data.

Generated by OpenCVE AI on April 29, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JNews Paywall plugin to version 12.0.1 or newer
  • If an upgrade is not immediately available, temporarily disable the JNews Paywall plugin to eliminate the CSRF surface area
  • Monitor site traffic for unexpected POST or GET requests that deviate from normal user activity patterns

Generated by OpenCVE AI on April 29, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Jnews
Jnews jnews
Wordpress
Wordpress wordpress
Vendors & Products Jnews
Jnews jnews
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1.
Title WordPress JNews Paywall plugin < 12.0.1 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Jnews Jnews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:22.134Z

Reserved: 2025-12-09T12:21:39.681Z

Link: CVE-2025-67591

cve-icon Vulnrichment

Updated: 2025-12-09T21:04:34.675Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:37.207

Modified: 2026-04-27T18:16:45.390

Link: CVE-2025-67591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:00:14Z

Weaknesses