{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9632", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-28T19:57:00.741Z", "datePublished": "2025-09-11T07:25:01.363Z", "dateUpdated": "2026-04-08T17:30:28.978Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:28.978Z"}, "affected": [{"vendor": "vinzzb", "product": "PhpList Subber", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "PhpList Subber <= 1.1 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8113238-5208-42cd-aed6-7ec61c3ced85?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L45"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-09-10T19:04:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-11T13:33:19.377668Z", "id": "CVE-2025-9632", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T14:37:25.217Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9632", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-11T13:33:19.377668Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-11T13:33:45.461Z"}}], "cna": {"title": "PhpList Subber <= 1.1 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "vinzzb", "product": "PhpList Subber", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-10T19:04:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8113238-5208-42cd-aed6-7ec61c3ced85?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L45"}], "descriptions": [{"lang": "en", "value": "The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:28.978Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9632", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:28.978Z", "dateReserved": "2025-08-28T19:57:00.741Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-11T07:25:01.363Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9632", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-11T08:15:38.170", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phpls/tags/1.1/admin/init.php#L60"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8113238-5208-42cd-aed6-7ec61c3ced85?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:36:28.449039+00:00", "value": {"mitigation_remediation": ["Upgrade PhpList Subber to the latest available version that implements proper nonce validation and access control for the bulk sync action.", "If an upgrade is not possible, remove or disable the bulk_sync functionality from the plugin, for example by deactivating the plugin or modifying the code to delete the bulk_action_handler hook.", "Add an additional layer of protection by enabling two\u2011factor authentication for WordPress administrators so that even if a forged request is sent, the attacker cannot perform the action without the second factor."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Request Forgery allowing an unauthenticated user to trigger bulk synchronization of subscription forms"}, "threat_synthesis": {"affected_systems": "WordPress sites running the PhpList Subber plugin version 1.1 or earlier, supplied by the vendor vinzzb. Any installation of this plugin that exposes the bulk sync admin endpoint is vulnerable.", "description_and_impact": "The vulnerability is a CSRF flaw in the bulk_action_handler function of the PhpList Subber plugin for WordPress. Missing or incorrect nonce verification enables an attacker who can lure a site administrator to click a crafted link or URL to initiate a bulk sync of subscription forms. The action is performed as the impersonated admin, potentially affecting the integrity of the form data but not the confidentiality of the site. The flaw is classified as CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 4.3 places the vulnerability in a medium\u2011risk range. The EPSS score of < 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV. Exploitation requires an unauthenticated attacker to deliver a forged HTTP request and convince an administrator to perform the action, so the attack vector is social engineering and web\u2011based. If the attacker succeeds, the affected administrator would execute a bulk sync operation with the site\u2019s credentials."}}}}, "created": "2025-09-12T09:11:23.756511+00:00", "updated": "2026-04-20T19:45:15.505700+00:00", "vendors": ["vinzzb", "vinzzb$PRODUCT$phplist_subber", "wordpress", "wordpress$PRODUCT$wordpress"]}