CVE-2025-49391
Description
Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Cross Site Request Forgery.This issue affects Sign-up Sheets: from n/a through <= 2.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Sign-up Sheets WordPress plugin ≤2.3.3 is vulnerable to CSRF, allowing attackers to force privileged users into executing unintended actions.
The Sign-up Sheets plugin for WordPress versions up to and including 2.3.3 contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw stems from insufficient validation of request origins, enabling attackers to craft malicious links or forms that, when clicked by an authenticated administrator, execute unwanted actions under the admin's session [1].
Exploitation requires user interaction: a privileged user (e.g., admin) must be tricked into clicking a crafted link, visiting a malicious page, or submitting a form while authenticated to the WordPress site. No additional authentication is needed for the attacker beyond the user's existing session [1].
If successfully exploited, the attacker can force the victim to perform actions like changing plugin settings or creating unauthorized sign-up sheets, potentially leading to data manipulation or privilege escalation. The CVSS v3 score is 4.3 (Medium) [1].
The vulnerability is fixed in version 2.3.3.1. Users are strongly advised to update immediately. Patchstack auto-update can also be enabled for automated protection [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.