Description
Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch
AI Analysis

Impact

Cross‑Site Request Forgery vulnerability in Zita Elementor Site Library plugin allows attackers to execute actions on behalf of authenticated users. The flaw occurs because the plugin does not enforce proper CSRF protection for its endpoints. An attacker can craft a malicious request that triggers a state‑changing operation, such as updating content or changing settings, when a logged‑in user visits a malicious page. This undermines the integrity of the site and can lead to defacement or data tampering.

Affected Systems

The vulnerability affects the wpzita Zita Elementor Site Library plugin – all versions up through 1.6.6 are susceptible. No earlier vulnerable version is specified, but any release prior to the patched version should be considered at risk until it is updated.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate, and an EPSS score of less than 1% indicates a low probability of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. The attack vector is via the web: an attacker must entice a logged‑in user to visit a malicious site that forces a state‑changing request to the plugin’s endpoint. No additional network access or privileged credentials are required beyond user authentication, but successful exploitation compromises the site’s integrity.

Generated by OpenCVE AI on April 16, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zita Elementor Site Library plugin to the latest released version that addresses the CSRF issue.
  • Ensure that the site’s security configuration enforces CSRF token validation and same‑site cookies for all state‑changing requests, particularly for the plugin’s endpoints.
  • If an immediate upgrade is not feasible, implement a web application firewall rule that blocks or flags POST/PUT requests to the plugin’s endpoints that lack a valid CSRF token or originate from unfamiliar sources.

Generated by OpenCVE AI on April 16, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzita
Wpzita zita Elementor Site Library
Vendors & Products Wordpress
Wordpress wordpress
Wpzita
Wpzita zita Elementor Site Library

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.
Title WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Wordpress Wordpress
Wpzita Zita Elementor Site Library
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:54.796Z

Reserved: 2026-02-02T12:20:47.811Z

Link: CVE-2026-25319

cve-icon Vulnrichment

Updated: 2026-02-19T21:31:02.536Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:16.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25319

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses