{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68529", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-19T10:17:03.706Z", "datePublished": "2025-12-24T12:31:25.832Z", "dateUpdated": "2026-04-28T16:14:29.921Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-email-capture", "product": "WP Email Capture", "vendor": "Rhys Wynne", "versions": [{"changes": [{"at": "3.12.6", "status": "unaffected"}], "lessThanOrEqual": "3.12.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:11.815Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.<p>This issue affects WP Email Capture: from n/a through <= 3.12.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:29.921Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress WP Email Capture plugin <= 3.12.5 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:39:21.551643Z", "id": "CVE-2025-68529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:39:24.397Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:39:21.551643Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T19:07:45.361Z"}}], "cna": {"title": "WordPress WP Email Capture plugin <= 3.12.5 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Arif Shaikh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rhys Wynne", "product": "WP Email Capture", "versions": [{"status": "affected", "changes": [{"at": "3.12.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.12.5"}], "packageName": "wp-email-capture", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:11.815Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.<p>This issue affects WP Email Capture: from n/a through <= 3.12.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:56.986Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68529", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:39:24.397Z", "dateReserved": "2025-12-19T10:17:03.706Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-24T12:31:25.832Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5."}], "id": "CVE-2025-68529", "lastModified": "2026-04-27T19:16:28.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-24T13:16:22.357", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-email-capture/vulnerability/wordpress-wp-email-capture-plugin-3-12-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:29:07.473673+00:00", "value": {"mitigation_remediation": ["Upgrade WP Email Capture to a version beyond 3.12.5, which removes the CSRF flaw.", "Restrict or disable the plugin\u2019s administrative actions when they are not needed, thereby minimizing the exposure of vulnerable endpoints.", "Add CSRF protection to all forms that submit data to the plugin, for example by using WordPress nonces or custom tokens, to prevent unauthorized requests."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw affects the WP Email Capture plugin created by Rhys Wynne. Versions from the earliest available up to and including 3.12.5 are impacted. WordPress sites that have this plugin installed and are running a vulnerable version are at risk.", "description_and_impact": "The vulnerability is a Cross\u2011Site Request Forgery flaw that allows an attacker to trick an authenticated WordPress user into performing actions configured by the WP Email Capture plugin. Because the plugin does not validate request authenticity, a crafted URL or form can change settings or submit email captures without the user\u2019s consent, potentially leading to data leakage or unauthorized configuration changes. The weakness is classified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1\u202f% indicates that exploitation is considered unlikely at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely through a web browser, where an attacker hosts a malicious page that automatically submits a request to the site while a logged\u2011in user visits the page. Successful exploitation requires that the target user be authenticated and that the plugin\u2019s admin or capture endpoints be reachable."}}}}, "created": "2025-12-29T22:34:37.204153+00:00", "updated": "2026-04-28T18:30:37.344761+00:00", "vendors": ["rhys_wynne", "rhys_wynne$PRODUCT$wp_email_capture", "wordpress", "wordpress$PRODUCT$wordpress"]}