Description
The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-09-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery that permits modification of plugin settings
Action: Apply Patch
AI Analysis

Impact

The Publish approval WordPress plugin is vulnerable to CSRF due to missing or incorrect nonce validation in the publish_save_option function. An unauthenticated attacker can forge a request that an administrator will unknowingly submit, enabling the attacker to alter plugin configuration. Because these settings govern how content is published, the vulnerability allows a malicious actor to disrupt or manipulate the publishing process.

Affected Systems

Evidentlycube Publish approval plugin for WordPress, any version up to and including 1.1. All installations using these versions lack the proper nonce check on settings changes and are therefore vulnerable until addressed.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a very low current likelihood of exploitation, and the issue is not listed in CISA’s KEV catalogue. Exploitation requires an attacker to convince a site administrator to click a link or submit a crafted form, after which the attacker can modify settings with administrator privileges. The impact therefore is confined to administrators who can change publishing workflow configuration, but those changes can affect the entire site.

Generated by OpenCVE AI on April 20, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Publish approval plugin to a version newer than 1.1 where nonce validation is correctly implemented
  • Ensure that all server‑side form handlers validate a CSRF token before applying changes to plugin settings
  • Restrict administrative access to trusted personnel, enable two‑factor authentication, and monitor for unexpected POST requests

Generated by OpenCVE AI on April 20, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27641 The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Evidentlycube
Evidentlycube publish Approval Plugin
Wordpress
Wordpress wordpress
Vendors & Products Evidentlycube
Evidentlycube publish Approval Plugin
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Publish approval <= 1.1 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Evidentlycube Publish Approval Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:23.729Z

Reserved: 2025-08-28T18:26:40.188Z

Link: CVE-2025-9617

cve-icon Vulnrichment

Updated: 2025-09-11T13:34:12.824Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:37.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses