{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9617", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T18:26:40.188Z", "datePublished": "2025-09-11T07:25:00.969Z", "dateUpdated": "2026-04-08T17:29:23.729Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:23.729Z"}, "affected": [{"vendor": "evidentlycube", "product": "Publish approval", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Publish approval <= 1.1 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e34ac4aa-65c5-43d7-9b77-d4c6068722f1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/publish-approval/trunk/src/actions/HandleOptionsSave.php#L6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "timeline": [{"time": "2025-09-10T19:04:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:34:10.957059Z", "id": "CVE-2025-9617", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:37:30.951Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9617", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:34:10.957059Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:34:12.824Z"}}], "cna": {"title": "Publish approval <= 1.1 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Sandeep"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "evidentlycube", "product": "Publish approval", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T19:04:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e34ac4aa-65c5-43d7-9b77-d4c6068722f1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/publish-approval/trunk/src/actions/HandleOptionsSave.php#L6"}], "descriptions": [{"lang": "en", "value": "The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:23.729Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9617", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:23.729Z", "dateReserved": "2025-08-28T18:26:40.188Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:25:00.969Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9617", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:37.020", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/publish-approval/trunk/src/actions/HandleOptionsSave.php#L6"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e34ac4aa-65c5-43d7-9b77-d4c6068722f1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:36:48.548286+00:00", "value": {"mitigation_remediation": ["Upgrade the Publish approval plugin to a version newer than 1.1 where nonce validation is correctly implemented", "Ensure that all server\u2011side form handlers validate a CSRF token before applying changes to plugin settings", "Restrict administrative access to trusted personnel, enable two\u2011factor authentication, and monitor for unexpected POST requests"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery that permits modification of plugin settings"}, "threat_synthesis": {"affected_systems": "Evidentlycube Publish approval plugin for WordPress, any version up to and including 1.1. All installations using these versions lack the proper nonce check on settings changes and are therefore vulnerable until addressed.", "description_and_impact": "The Publish approval WordPress plugin is vulnerable to CSRF due to missing or incorrect nonce validation in the publish_save_option function. An unauthenticated attacker can forge a request that an administrator will unknowingly submit, enabling the attacker to alter plugin configuration. Because these settings govern how content is published, the vulnerability allows a malicious actor to disrupt or manipulate the publishing process.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity, while the EPSS score of less than 1% suggests a very low current likelihood of exploitation, and the issue is not listed in CISA\u2019s KEV catalogue. Exploitation requires an attacker to convince a site administrator to click a link or submit a crafted form, after which the attacker can modify settings with administrator privileges. The impact therefore is confined to administrators who can change publishing workflow configuration, but those changes can affect the entire site. "}}}}, "created": "2025-09-12T09:11:22.399191+00:00", "updated": "2026-04-20T19:45:15.506164+00:00", "vendors": ["evidentlycube", "evidentlycube$PRODUCT$publish_approval_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}