{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25014", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:51:50.023Z", "datePublished": "2026-02-03T14:08:39.117Z", "dateUpdated": "2026-04-28T16:14:53.615Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "enteraddons", "product": "Enter Addons", "vendor": "themelooks", "versions": [{"changes": [{"at": "2.3.3", "status": "unaffected"}], "lessThanOrEqual": "2.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:58.852Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.<p>This issue affects Enter Addons: from n/a through <= 2.3.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:53.615Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Enter Addons plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:04:58.746092Z", "id": "CVE-2026-25014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:46:48.059Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25014", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:51:50.023Z", "datePublished": "2026-02-03T14:08:39.117Z", "dateUpdated": "2026-04-28T12:46:48.059Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "enteraddons", "product": "Enter Addons", "vendor": "themelooks", "versions": [{"changes": [{"at": "2.3.3", "status": "unaffected"}], "lessThanOrEqual": "2.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:35.414Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.<p>This issue affects Enter Addons: from n/a through <= 2.3.2.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:48.396Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Enter Addons plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:04:58.746092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:04:05.306Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery.This issue affects Enter Addons: from n/a through <= 2.3.2."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en themelooks Enter Addons enteraddons permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Enter Addons: desde n/a hasta &lt;= 2.3.2."}], "id": "CVE-2026-25014", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:19.607", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:12:07.554208+00:00", "value": {"mitigation_remediation": ["Upgrade Enter Addons to a version newer than 2.3.2 where the CSRF issue is fixed", "Disable or limit the capabilities exposed by the plugin for non\u2011admin roles", "Apply a Web Application Firewall rule to enforce CSRF token verification on the plugin\u2019s endpoints"], "summary": {"action": "Upgrade Plugin", "impact": "Cross\u2011Site Request Forgery (CSRF) enabling unauthorized actions by an authenticated user"}, "threat_synthesis": {"affected_systems": "The flaw affects the Enter Addons plugin version 2.3.2 and earlier. Watermark is for WordPress sites running the 'Enter Addons' add\u2011on from themelooks. No specific WordPress core or other plugins are listed as vulnerable.", "description_and_impact": "The Enter Addons plugin has a CSRF vulnerability that allows an attacker to forge requests on behalf of an authenticated WordPress administrator. An attacker can craft a malicious webpage that submits a form or HTTP request to the plugin's unprotected endpoints, causing the admin\u2019s browser to perform actions such as modifying plugin settings or content. The weakness is a classic token\u2011less CSRF (CWE\u2011352), which can undermine confidentiality and integrity by enabling unauthorized changes. The impact is limited to functions exposed by the plugin but can matter if those modify site content or configuration.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate risk level. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, because the flaw requires an authenticated user session, the likely attack vector is a malicious site tricking an admin into visiting it while logged in. An attacker needs only a simple crafted request to exploit this issue \u2013 no advanced privileges or system access are required. While the chance of exploitation remains low, the potential for loss of control over site settings warrants attention."}}}}, "created": "2026-02-04T12:09:24.323122+00:00", "updated": "2026-04-16T01:15:20.535306+00:00", "vendors": ["themelooks", "themelooks$PRODUCT$enter_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}