{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25337", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:37.307Z", "datePublished": "2026-02-19T08:26:58.204Z", "dateUpdated": "2026-04-28T16:14:55.828Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "coachify", "product": "Coachify", "vendor": "wpcoachify", "versions": [{"changes": [{"at": "1.1.6", "status": "unaffected"}], "lessThanOrEqual": "1.1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:06.055Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.<p>This issue affects Coachify: from n/a through <= 1.1.5.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:55.828Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Coachify theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:08:05.826765Z", "id": "CVE-2026-25337", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:05:14.478Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:08:05.826765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:06:58.644Z"}}], "cna": {"title": "WordPress Coachify theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "wpcoachify", "product": "Coachify", "versions": [{"status": "affected", "changes": [{"at": "1.1.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.5"}], "packageName": "coachify", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:06.055Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.<p>This issue affects Coachify: from n/a through <= 1.1.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:55.828Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25337", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:55.828Z", "dateReserved": "2026-02-02T12:52:37.307Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:58.204Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in wpcoachify Coachify coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through <= 1.1.5."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) vulnerabilidad en wpcoachify Coachify coachify permite falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Coachify: desde n/a hasta &lt;= 1.1.5."}], "id": "CVE-2026-25337", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:18.460", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/coachify/vulnerability/wordpress-coachify-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Coachify", "source": "cna", "vendor": "wpcoachify"}, "product": "coachify", "vendor": "wpcoachify"}], "analysis": {"en": {"generated_at": "2026-04-16T06:33:58.025728+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress Coachify theme to a version newer than 1.1.5 to remove the CSRF flaw.", "If an immediate upgrade is not possible, temporarily disable or restrict the theme\u2019s administrative or state\u2011changing functions; for example, put the site into maintenance mode or limit access to privileged pages to prevent unintended actions.", "Install and configure a robust security plugin that enforces CSRF protection, such as Wordfence or Sucuri, which enforces nonces on all state\u2011changing forms and actions to guard against forged requests."], "summary": {"action": "Patch", "impact": "Unauthorized state change via CSRF"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Coachify theme with a version of 1.1.5 or older, including any sites that have not applied the latest patch or rolled over to a newer theme release. The known vendor identifier for the affected product is wpcoachify and the product name is Coachify.", "description_and_impact": "WordPress Coachify theme 1.1.5 and earlier suffer a Cross\u2011Site Request Forgery flaw that permits an attacker to trick an authenticated user\u2019s browser into sending malicious requests to the site. By exploiting this weakness, the attacker can trigger any operation that the logged\u2011in user is authorized to perform, potentially modifying or deleting content, changing settings, or executing other privileged actions. The vulnerability is an instance of the injected request forgery weakness in CWE\u2011352.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity, and the EPSS score of less than 1\u00a0% suggests that exploitation is currently uncommon but still possible. The issue is not listed in CISA\u2019s KEV catalog, implying no large\u2011scale exploit activity has been recorded. Attackers can exploit the flaw by persuading a logged\u2011in user to visit a crafted link or submit a crafted form; the victim\u2019s browser would then send authenticated requests to the WordPress site, potentially executing unintended actions without further authentication steps."}}}}, "created": "2026-02-20T10:08:51.216064+00:00", "updated": "2026-04-16T06:45:16.309386+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpcoachify", "wpcoachify$PRODUCT$coachify"]}