CVE-2025-47446

Vulnerability

Overview

The Listamester WordPress plugin (versions up to and including 2.3.6) contains a Cross-Site Request Forgery (CSRF) vulnerability. This occurs due to missing or insufficient nonce validation in critical functions, allowing unauthorized requests to be processed as if they were legitimate actions from an authenticated administrator.

Exploitation

An attacker can exploit this by crafting a malicious link or form and tricking a logged-in administrator into clicking it. Since the request appears to originate from the admin's session, the plugin will execute the attacker's desired action without the admin's knowledge. No special privileges are required for the attacker beyond the ability to lure an admin.

Impact

Successful exploitation could allow an attacker to perform any action that the targeted administrator is permitted to do, such as modifying plugin settings, deleting content, or creating new users. The reference [1] rates this as a medium-severity issue (CVSS 4.3) and notes it is unlikely to be exploited in mass campaigns.

Mitigation

The vendor has released version 2.3.7 which fixes the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for the plugin. For those unable to update, contacting a hosting provider or web developer for assistance is recommended [1].