{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7842", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T19:41:38.196Z", "datePublished": "2025-08-23T04:25:47.397Z", "dateUpdated": "2026-04-08T17:06:21.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:21.165Z"}, "affected": [{"vendor": "silence", "product": "Silencesoft RSS Reader", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Silencesoft RSS Reader <= 0.6 - Cross-Site Request Forgery to RSS Feed Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e688654-8e21-48e8-a497-06812f3be9fb?source=cve"}, {"url": "https://wordpress.org/plugins/external-rss-reader/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-08-22T15:52:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T17:11:51.793222Z", "id": "CVE-2025-7842", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:15:08.114Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7842", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T17:11:51.793222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:11:58.921Z"}}], "cna": {"title": "Silencesoft RSS Reader <= 0.6 - Cross-Site Request Forgery to RSS Feed Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "silence", "product": "Silencesoft RSS Reader", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T15:52:08.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e688654-8e21-48e8-a497-06812f3be9fb?source=cve"}, {"url": "https://wordpress.org/plugins/external-rss-reader/"}], "descriptions": [{"lang": "en", "value": "The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-23T04:25:47.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7842", "state": "PUBLISHED", "dateUpdated": "2025-08-25T17:15:08.114Z", "dateReserved": "2025-07-18T19:41:38.196Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T04:25:47.397Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El complemento Silencesoft RSS Reader para WordPress es vulnerable a la Cross-Site Request Forgery en todas las versiones hasta la 0.6 incluida. Esto se debe a la falta o a una validaci\u00f3n de nonce incorrecta en la p\u00e1gina 'sil_rss_edit_page'. Esto permite que atacantes no autenticados eliminen fuentes RSS mediante una solicitud falsificada, ya que pueden enga\u00f1ar al administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2025-7842", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T05:15:33.283", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/external-rss-reader/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e688654-8e21-48e8-a497-06812f3be9fb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:16:52.138958+00:00", "value": {"mitigation_remediation": ["Update the Silencesoft RSS Reader plugin to a version that includes the CSRF fix.", "If no update is available immediately, restrict or disable the 'sil_rss_edit_page' endpoint so that only trusted administrators can access it.", "As a temporary countermeasure, add a custom nonce to the feed edit request and validate it on the server side to block forged actions."], "summary": {"action": "Apply patch", "impact": "Unauthenticated deletion of RSS feeds via cross\u2011site request forgery"}, "threat_synthesis": {"affected_systems": "WordPress sites using any version of the Silencesoft RSS Reader plugin up to and including 0.6 are affected. Administrators of these sites are at risk when they access the feed editing page.", "description_and_impact": "The Silencesoft RSS Reader plugin for WordPress contains a cross\u2011site request forgery flaw on the 'sil_rss_edit_page' action because it either omits or incorrectly validates the nonce. An attacker can craft a request that, when a site administrator follows a malicious link or otherwise triggers the page, will delete an existing RSS feed without the administrator\u2019s knowledge or consent. The vulnerability enables loss of content and can disrupt the service that the feeds provide.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates a moderate severity level, and the EPSS probability is reported as less than 1%, showing that real\u2011world exploitation is unlikely but still possible. The vulnerability is not listed in CISA's KEV catalog, yet public advisories are available. Attack requires only a socially engineered click by an administrator on a maliciously crafted link. Without a vendor fix the risk remains while the affected version remains in use."}}}}, "created": "2025-08-23T10:54:57.675609+00:00", "updated": "2026-04-21T19:30:06.079414+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}