CVE-2025-47596

Vulnerability

Analysis

The Beacon Lead Magnets and Lead Capture plugin for WordPress, versions from n/a through 1.5.8, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This issue arises from insufficient validation of request origins, allowing an attacker to craft malicious requests that can be executed by an authenticated administrative user [1].

Exploitation

Details

Exploitation requires user interaction — a privileged user must click a malicious link, visit a crafted page, or submit a specially crafted form while authenticated to the WordPress site [1]. An attacker does not need direct access to the site but can target higher privileged users via social engineering or embedded content [1].

Impact

Successful exploitation could allow an attacker to force the targeted user to perform unintended actions within the plugin's scope, such as modifying lead capture settings or adding unauthorized lead magnets [1]. The CVSS v3 base score is 4.3, reflecting a medium severity with low exploit likelihood [1].

Mitigation

The vulnerability is patched in version 1.5.9 of the plugin [1]. Users are advised to update immediately; if unable, enable auto-updates or seek assistance from a hosting provider [1]. Patchstack users can enable auto-update for vulnerable plugins only [1].