{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11976", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T16:07:42.381Z", "datePublished": "2025-10-25T06:49:25.381Z", "dateUpdated": "2026-04-08T17:29:54.970Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:54.970Z"}, "affected": [{"vendor": "fusewp", "product": "FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.23.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5957d6b-40e5-44c4-9a1b-e9c49e175162?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383939/fusewp/trunk/src/core/src/Admin/SettingsPage/SyncPage.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-20T16:22:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T18:12:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:32:49.320244Z", "id": "CVE-2025-11976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:32:59.968Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:32:49.320244Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:32:55.290Z"}}], "cna": {"title": "FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "fusewp", "product": "FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.)", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.23.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-20T16:22:57.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T18:12:55.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5957d6b-40e5-44c4-9a1b-e9c49e175162?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3383939/fusewp/trunk/src/core/src/Admin/SettingsPage/SyncPage.php"}], "descriptions": [{"lang": "en", "value": "The FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-25T06:49:25.381Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11976", "state": "PUBLISHED", "dateUpdated": "2025-10-27T15:32:59.968Z", "dateReserved": "2025-10-20T16:07:42.381Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T06:49:25.381Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-11976", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T07:15:40.737", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3383939/fusewp/trunk/src/core/src/Admin/SettingsPage/SyncPage.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5957d6b-40e5-44c4-9a1b-e9c49e175162?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T06:05:21.005749+00:00", "value": {"mitigation_remediation": ["Upgrade the FuseWP plugin to the latest version that includes the CSRF fix.", "Review all existing sync rule configurations for unauthorized or unexpected entries and delete those that were not authorized by a legitimate administrator.", "If an upgrade cannot be applied immediately, temporarily disable or restrict the sync feature until the update is available.", "Monitor WordPress administrative logs for anomalous sync rule creation or modification events to detect exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery allowing unauthorized creation or modification of email sync rules"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the FuseWP \u2013 WordPress User Sync to Email List & Marketing Automation plugin version 1.1.23.0 or earlier are affected. The vendor is fusewp and no other vendors or products are listed.", "description_and_impact": "The FuseWP plugin for WordPress contains a CSRF vulnerability because the save_changes function fails to validate the nonce correctly. An attacker who can lure a logged\u2011in site administrator into visiting a forged URL can force the creation or modification of sync rules that send user data to external marketing services such as Mailchimp, Constant Contact, or ActiveCampaign. This may result in unwanted data transfer.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% points to a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must rely on social engineering to trick an administrator into executing a forged request while authenticated, which limits the immediate attack surface but still poses a potential risk to data integrity and compliance."}}}}, "created": "2025-10-27T22:10:23.120800+00:00", "updated": "2026-04-22T06:15:10.426370+00:00", "vendors": ["fusewp", "fusewp$PRODUCT$fusewp", "wordpress", "wordpress$PRODUCT$wordpress"]}