Description
Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10.
Published: 2026-02-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Update Plugin
AI Analysis

Impact

The vulnerability is a CSRF flaw that allows forged HTTP requests to interact with the Popularis Extra plugin, potentially leading to unauthorized changes to plugin settings or other data when a user is authenticated. Based on the nature of CSRF, it is inferred that an attacker might alter site statistics or configuration data by exploiting the plugin’s lack of request origin verification.

Affected Systems

The Themes4WP Popularis Extra plugin for WordPress is affected, with all releases up to and including version 1.2.10 at risk. WordPress sites that have installed any of these versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk level, while the EPSS score of less than 1% suggests a currently low likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to target a user who is logged in with sufficient privileges to access Popularis Extra, then craft a malicious link or form that submits data to the plugin’s endpoints. Because this is a CSRF issue, no additional privileges beyond those of the authenticated user are required for exploitation.

Generated by OpenCVE AI on April 16, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Popularis Extra to a version newer than 1.2.10.
  • If an upgrade is not immediately possible, restrict administrative access to Popularis Extra’s settings pages to administrators only, or disable the plugin until a patch is available.
  • Configure WordPress to enforce non‑nonce or token validation on all admin requests, ensuring that Popularis Extra actions require a legitimate, verified request origin.

Generated by OpenCVE AI on April 16, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themes4wp
Themes4wp popularis Extra
Wordpress
Wordpress wordpress
Vendors & Products Themes4wp
Themes4wp popularis Extra
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10.
Title WordPress Popularis Extra plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References

Subscriptions

Themes4wp Popularis Extra
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:58.667Z

Reserved: 2026-02-02T12:53:26.262Z

Link: CVE-2026-25422

cve-icon Vulnrichment

Updated: 2026-02-19T17:09:57.588Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:23.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses