{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10691", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-18T14:54:06.118Z", "datePublished": "2025-11-06T03:27:01.882Z", "dateUpdated": "2026-04-08T16:52:58.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:58.777Z"}, "affected": [{"vendor": "yudiz", "product": "Easy Email Subscription", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53234e29-5213-4acd-abfe-5c4ea5dbf829?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388578/email-subscription-with-secure-captcha"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-05T15:07:46.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-05T15:20:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T17:02:11.340850Z", "id": "CVE-2025-10691", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T17:02:19.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T17:02:11.340850Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T17:02:17.008Z"}}], "cna": {"title": "Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "yudiz", "product": "Easy Email Subscription", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T15:07:46.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-05T15:20:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53234e29-5213-4acd-abfe-5c4ea5dbf829?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3388578/email-subscription-with-secure-captcha"}], "descriptions": [{"lang": "en", "value": "The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:58.777Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10691", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:58.777Z", "dateReserved": "2025-09-18T14:54:06.118Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T03:27:01.882Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the show_editsub_page() function. This makes it possible for unauthenticated attackers to delete arbitrary subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-10691", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-06T04:15:32.177", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3388578/email-subscription-with-secure-captcha"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53234e29-5213-4acd-abfe-5c4ea5dbf829?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:43:30.334053+00:00", "value": {"mitigation_remediation": ["Update Easy Email Subscription to a version newer than 1.3 to obtain the fixed nonce validation.", "Disable the Easy Email Subscription plugin or uninstall it until a patched version is available to prevent accidental deletion.", "Educate site administrators to verify URLs and be cautious of suspicious links, especially when logged in as admin."], "summary": {"action": "Patch", "impact": "Subscriber Data Deletion"}, "threat_synthesis": {"affected_systems": "All installations of the Easy Email Subscription plugin by yudiz with versions 1.3 and earlier are affected. No further version details are provided beyond the <=1.3 constraint.", "description_and_impact": "The Easy Email Subscription plugin for WordPress contains a Cross\u2011Site Request Forgery flaw stemming from the absence or mis\u2011implementation of nonce checks in the show_editsub_page() routine. An unauthenticated attacker can craft a forged request that, if executed by a site administrator, will delete any subscriber record. This flaw does not allow code execution but results in loss of user data and potential disruption of subscription services.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity risk. The EPSS score, being in the less than 1% bracket, suggests a very low likelihood of exploitation at the time of analysis. The flaw is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to socially engineer an administrator into clicking a malicious link or submitting a forged form; no privileged or authenticated access is required to carry out the deletion."}}}}, "created": "2025-11-06T10:06:44.898684+00:00", "updated": "2026-04-22T16:45:21.464762+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yudiz", "yudiz$PRODUCT$easy_email_subscription"]}