{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9895", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T23:14:02.640Z", "datePublished": "2025-10-03T11:17:20.655Z", "dateUpdated": "2026-04-08T17:21:47.439Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:47.439Z"}, "affected": [{"vendor": "umarbajwa", "product": "Notification Bar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "Notification Bar <= 2.2 - Cross-Site Request Forgery", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9364785-1174-46d1-8671-001b755361a6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bar/tags/2.2/subscriber-list-empty.php#L3"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-10-02T22:34:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T13:58:54.787930Z", "id": "CVE-2025-9895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T13:59:06.987Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T13:58:54.787930Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T13:58:58.470Z"}}], "cna": {"title": "Notification Bar <= 2.2 - Cross-Site Request Forgery", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "umarbajwa", "product": "Notification Bar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:34:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9364785-1174-46d1-8671-001b755361a6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-bar/tags/2.2/subscriber-list-empty.php#L3"}], "descriptions": [{"lang": "en", "value": "The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:47.439Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9895", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:47.439Z", "dateReserved": "2025-09-02T23:14:02.640Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:20.655Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-9895", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:50.473", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-bar/tags/2.2/subscriber-list-empty.php#L3"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9364785-1174-46d1-8671-001b755361a6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:22:35.504025+00:00", "value": {"mitigation_remediation": ["Update the Notification Bar plugin to the latest version or remove the plugin to eliminate the CSRF flaw.", "Ensure that all plugin endpoints validated with proper WordPress nonce checks (e.g., wp_nonce_field and check_admin_referer) before processing state\u2011changing actions.", "Educate site administrators to verify URLs before clicking and consider applying web application firewall rules to block unexpected state\u2011changing requests."], "summary": {"action": "Patch", "impact": "Unauthorized deletion of subscriber list"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the Notification Bar plugin version 2.2 or earlier, including all deployments of the umarbajwa:Notification Bar product. The vulnerability affects the plugin\u2019s functionality that allows administrators to delete subscribers via a request to subscriber\u2011list\u2011empty.php.", "description_and_impact": "The Notification Bar plugin for WordPress contains a CSRF vulnerability in the subscriber-list-empty.php file caused by missing or incorrect nonce validation. An attacker can trick a site administrator into clicking a forged link to trigger a request that empties the entire subscriber list. The impact is a non\u2011authentication\u2011based data modification that removes all stored subscriber contacts, potentially disrupting marketing or communication channels and erasing leads that the site owner has accumulated.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of <1% suggests a very low probability of exploitation. The issue is not listed in the CISA KEV catalog. Exploitation requires a social\u2011engineering vector to convince an administrator to send the forged request; no direct code\u2011execution or remote\u2011code features are present. The lack of nonce checking is the root weakness, categorized as CWE-352."}}}}, "created": "2025-10-06T14:42:48.757416+00:00", "updated": "2026-04-20T19:30:06.165490+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}