{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25422", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:26.262Z", "datePublished": "2026-02-19T08:27:07.187Z", "dateUpdated": "2026-04-28T16:14:58.667Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "popularis-extra", "product": "Popularis Extra", "vendor": "Themes4WP", "versions": [{"lessThanOrEqual": "1.2.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:09.903Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.<p>This issue affects Popularis Extra: from n/a through <= 1.2.10.</p>"}], "value": "Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10."}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:58.667Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/popularis-extra/vulnerability/wordpress-popularis-extra-plugin-1-2-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "title": "WordPress Popularis Extra plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:10:18.668055Z", "id": "CVE-2026-25422", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:26:22.986Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25422", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T17:10:18.668055Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:09:57.588Z"}}], "cna": {"title": "WordPress Popularis Extra plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "Cross Site Request Forgery"}]}], "affected": [{"vendor": "Themes4WP", "product": "Popularis Extra", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.10"}], "packageName": "popularis-extra", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:26:11.321Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/popularis-extra/vulnerability/wordpress-popularis-extra-plugin-1-2-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.<p>This issue affects Popularis Extra: from n/a through <= 1.2.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:27:07.187Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25422", "state": "PUBLISHED", "dateUpdated": "2026-02-27T14:27:02.052Z", "dateReserved": "2026-02-02T12:53:26.262Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:07.187Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10."}, {"lang": "es", "value": "Una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Themes4WP Popularis Extra popularis-extra permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Popularis Extra: desde n/a hasta &lt;= 1.2.10."}], "id": "CVE-2026-25422", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:23.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/popularis-extra/vulnerability/wordpress-popularis-extra-plugin-1-2-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Popularis Extra", "source": "cna", "vendor": "Themes4WP"}, "product": "popularis_extra", "vendor": "themes4wp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:29:40.018204+00:00", "value": {"mitigation_remediation": ["Upgrade Popularis Extra to a version newer than 1.2.10.", "If an upgrade is not immediately possible, restrict administrative access to Popularis Extra\u2019s settings pages to administrators only, or disable the plugin until a patch is available.", "Configure WordPress to enforce non\u2011nonce or token validation on all admin requests, ensuring that Popularis Extra actions require a legitimate, verified request origin."], "summary": {"action": "Update Plugin", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The Themes4WP Popularis Extra plugin for WordPress is affected, with all releases up to and including version 1.2.10 at risk. WordPress sites that have installed any of these versions are listed as impacted.", "description_and_impact": "The vulnerability is a CSRF flaw that allows forged HTTP requests to interact with the Popularis Extra plugin, potentially leading to unauthorized changes to plugin settings or other data when a user is authenticated. Based on the nature of CSRF, it is inferred that an attacker might alter site statistics or configuration data by exploiting the plugin\u2019s lack of request origin verification.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk level, while the EPSS score of less than 1% suggests a currently low likelihood of exploitation. The vulnerability is not included in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to target a user who is logged in with sufficient privileges to access Popularis Extra, then craft a malicious link or form that submits data to the plugin\u2019s endpoints. Because this is a CSRF issue, no additional privileges beyond those of the authenticated user are required for exploitation."}}}}, "created": "2026-02-20T10:08:18.099674+00:00", "updated": "2026-04-16T06:30:06.038054+00:00", "vendors": ["themes4wp", "themes4wp$PRODUCT$popularis_extra", "wordpress", "wordpress$PRODUCT$wordpress"]}