{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6062", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-13T13:22:48.551Z", "datePublished": "2025-06-14T08:23:25.957Z", "dateUpdated": "2026-04-08T17:00:28.740Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:28.740Z"}, "affected": [{"vendor": "netlatch", "product": "Yougler Blogger Profile Page", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "v1.01", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7102fb97-96a4-4fd9-824d-6fa6d483f37a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yougler-blogger-profile-page/trunk/yougler-plugin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "timeline": [{"time": "2025-06-13T19:47:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-16T16:45:56.975538Z", "id": "CVE-2025-6062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T18:38:57.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-16T16:45:56.975538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-16T16:47:11.405Z"}}], "cna": {"title": "Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "JohSka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "netlatch", "product": "Yougler Blogger Profile Page", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "v1.01"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-13T19:47:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7102fb97-96a4-4fd9-824d-6fa6d483f37a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yougler-blogger-profile-page/trunk/yougler-plugin.php"}], "descriptions": [{"lang": "en", "value": "The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:28.740Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6062", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:28.740Z", "dateReserved": "2025-06-13T13:22:48.551Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-14T08:23:25.957Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Yougler Blogger Profile Page para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la v1.01 incluida. Esto se debe a una validaci\u00f3n de nonce inexistente o incorrecta en la p\u00e1gina 'yougler-plugin.php'. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n del complemento mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-6062", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-14T09:15:24.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yougler-blogger-profile-page/trunk/yougler-plugin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7102fb97-96a4-4fd9-824d-6fa6d483f37a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:19:53.650347+00:00", "value": {"mitigation_remediation": ["Update the Yougler Blogger Profile Page plugin to the latest available version or to a release that includes the CSRF fix.", "If an update is not immediately possible, disable the plugin to eliminate the vulnerable entry point.", "Enhance administrator security by enforcing two\u2011factor authentication and restricting admin access to trusted IP ranges to reduce the window for social\u2011engineering attacks."], "summary": {"action": "Patch", "impact": "Unauthorized Settings Modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the netlatch Yougler Blogger Profile Page plugin for WordPress, versions up to and including 1.01. No specific patch release is noted in the data, but the issue applies to any installation of these versions regardless of site configuration. Site administrators using older WordPress installations or a custom theme that includes the plugin should review their plugin version promptly.", "description_and_impact": "The Yougler Blogger Profile Page plugin contains a Cross\u2011Site Request Forgery flaw that allows an unauthenticated user to submit a forged HTTP request and alter the plugin\u2019s settings. This means an attacker who can convince a site administrator to click a malicious link can change configuration values such as layout options or social media URLs. The flaw resides in missing or incorrect nonce checks within the plugin\u2019s backend file and grants the attacker the same privileges as the clicked administrator, potentially affecting the appearance and behavior of the site but not granting direct code execution or data exfiltration. The weakness is the classic CSRF type identified as CWE\u2011352, indicating insufficient request validation.", "risk_and_exploitability": "The CVSS score of 4.3 suggests a moderate level of risk. The EPSS score indicated is below 1\u202f%, implying that automated exploitation is unlikely at present. The issue is not listed in CISA\u2019s KEV catalog. The attack requires an active social\u2011engineering effort to persuade an administrator to visit a crafted URL; it does not rely on a known public exploit payload and therefore has a limited likelihood of exploitation in the wild. Nevertheless, once the attacker succeeds, they can modify plugin settings and potentially disrupt site functionality or present a compromised user interface to visitors."}}}}, "created": "2026-04-22T01:30:05.232937+00:00", "updated": "2026-04-22T01:30:05.232951+00:00", "vendors": []}