{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25319", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:47.811Z", "datePublished": "2026-02-19T08:26:55.141Z", "dateUpdated": "2026-04-28T16:14:54.796Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "zita-site-library", "product": "Zita Elementor Site Library", "vendor": "wpzita", "versions": [{"changes": [{"at": "1.6.7", "status": "unaffected"}], "lessThanOrEqual": "1.6.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:03.793Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.<p>This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.796Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/zita-site-library/vulnerability/wordpress-zita-elementor-site-library-plugin-1-6-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:32:40.287564Z", "id": "CVE-2026-25319", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:56:38.302Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25319", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:32:40.287564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:31:02.536Z"}}], "cna": {"title": "WordPress Zita Elementor Site Library plugin <= 1.6.6 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wpzita", "product": "Zita Elementor Site Library", "versions": [{"status": "affected", "changes": [{"at": "1.6.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.6"}], "packageName": "zita-site-library", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:39.149Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/zita-site-library/vulnerability/wordpress-zita-elementor-site-library-plugin-1-6-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.<p>This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.099Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25319", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:56:38.302Z", "dateReserved": "2026-02-02T12:20:47.811Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:55.141Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en wpzita Zita Elementor Site Library zita-site-library permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Zita Elementor Site Library: desde n/a hasta &lt;= 1.6.6."}], "id": "CVE-2026-25319", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:16.200", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/zita-site-library/vulnerability/wordpress-zita-elementor-site-library-plugin-1-6-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.6.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Zita Elementor Site Library", "source": "cna", "vendor": "wpzita"}, "product": "zita_elementor_site_library", "vendor": "wpzita"}], "analysis": {"en": {"generated_at": "2026-04-16T06:36:23.460239+00:00", "value": {"mitigation_remediation": ["Upgrade the Zita Elementor Site Library plugin to the latest released version that addresses the CSRF issue. ", "Ensure that the site\u2019s security configuration enforces CSRF token validation and same\u2011site cookies for all state\u2011changing requests, particularly for the plugin\u2019s endpoints. ", "If an immediate upgrade is not feasible, implement a web application firewall rule that blocks or flags POST/PUT requests to the plugin\u2019s endpoints that lack a valid CSRF token or originate from unfamiliar sources."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the wpzita Zita Elementor Site Library plugin \u2013 all versions up through 1.6.6 are susceptible. No earlier vulnerable version is specified, but any release prior to the patched version should be considered at risk until it is updated.", "description_and_impact": "Cross\u2011Site Request Forgery vulnerability in Zita Elementor Site Library plugin allows attackers to execute actions on behalf of authenticated users. The flaw occurs because the plugin does not enforce proper CSRF protection for its endpoints. An attacker can craft a malicious request that triggers a state\u2011changing operation, such as updating content or changing settings, when a logged\u2011in user visits a malicious page. This undermines the integrity of the site and can lead to defacement or data tampering.", "risk_and_exploitability": "With a CVSS score of 4.3 the risk is moderate, and an EPSS score of less than 1% indicates a low probability of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. The attack vector is via the web: an attacker must entice a logged\u2011in user to visit a malicious site that forces a state\u2011changing request to the plugin\u2019s endpoint. No additional network access or privileged credentials are required beyond user authentication, but successful exploitation compromises the site\u2019s integrity."}}}}, "created": "2026-02-20T10:09:04.427905+00:00", "updated": "2026-04-16T06:45:16.312359+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpzita", "wpzita$PRODUCT$zita_elementor_site_library"]}