Description
Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2.
Published: 2026-02-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery (CSRF) enabling unauthorized actions by an authenticated user
Action: Upgrade Plugin
AI Analysis

Impact

The Enter Addons plugin has a CSRF vulnerability that allows an attacker to forge requests on behalf of an authenticated WordPress administrator. An attacker can craft a malicious webpage that submits a form or HTTP request to the plugin's unprotected endpoints, causing the admin’s browser to perform actions such as modifying plugin settings or content. The weakness is a classic token‑less CSRF (CWE‑352), which can undermine confidentiality and integrity by enabling unauthorized changes. The impact is limited to functions exposed by the plugin but can matter if those modify site content or configuration.

Affected Systems

The flaw affects the Enter Addons plugin version 2.3.2 and earlier. Watermark is for WordPress sites running the 'Enter Addons' add‑on from themelooks. No specific WordPress core or other plugins are listed as vulnerable.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate risk level. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the flaw requires an authenticated user session, the likely attack vector is a malicious site tricking an admin into visiting it while logged in. An attacker needs only a simple crafted request to exploit this issue – no advanced privileges or system access are required. While the chance of exploitation remains low, the potential for loss of control over site settings warrants attention.

Generated by OpenCVE AI on April 16, 2026 at 01:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Enter Addons to a version newer than 2.3.2 where the CSRF issue is fixed
  • Disable or limit the capabilities exposed by the plugin for non‑admin roles
  • Apply a Web Application Firewall rule to enforce CSRF token verification on the plugin’s endpoints

Generated by OpenCVE AI on April 16, 2026 at 01:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Themelooks
Themelooks enter Addons
Wordpress
Wordpress wordpress
Vendors & Products Themelooks
Themelooks enter Addons
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2.
Title WordPress Enter Addons plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Themelooks Enter Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:53.615Z

Reserved: 2026-01-28T09:51:50.023Z

Link: CVE-2026-25014

cve-icon Vulnrichment

Updated: 2026-02-03T15:04:05.306Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:19.607

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses