Description
The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthorized changes to Depicter document rules
Action: Update Plugin
AI Analysis

Impact

The vulnerability arises from missing or incorrect nonce validation on the depicter-document-rules-store function in the Depicter WordPress plugin. Because the request is not properly authenticated, an attacker who can trick a site administrator into visiting a crafted URL can change document rules without legitimate credentials. The impact is limited to modification of content rules, but it can alter how sliders and pop‑ups behave, potentially enabling further attacks or disrupting site functionality. The flaw is identified as a CSRF weakness (CWE‑352).

Affected Systems

The defect exists in the Depicter Popup & Slider Builder plugin by averta for WordPress, affecting all releases up to and including version 4.0.4. Administrators running these vulnerable versions are at risk; users of newer releases are unaffected.

Risk and Exploitability

The CVSS score of 4.3 places the issue in the medium severity range. An EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread attacks. Likely exploitation would require social engineering to get an admin to click a malicious link, after which the forged request would update rule settings.

Generated by OpenCVE AI on April 20, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Depicter plugin to a version newer than 4.0.4, which resolves the nonce validation issue.
  • Verify that future updates include proper nonce checks for the depicter-document-rules-store endpoint and that the endpoint requires a valid secret token.
  • As a temporary measure, restrict access to the Ajax endpoint to authenticated administrators or disable the affected feature until a patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 19 Dec 2025 15:45:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta slider And Popup Builder By Depicter
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta slider And Popup Builder By Depicter
Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Depicter <= 4.0.4 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Averta Slider And Popup Builder By Depicter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:51.353Z

Reserved: 2025-07-30T18:13:07.830Z

Link: CVE-2025-8383

cve-icon Vulnrichment

Updated: 2025-10-31T17:51:12.889Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T09:15:48.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses