CVE-2025-50036

Vulnerability

Description The Mailing Group Listserv plugin (wp-mailing-group) for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions from n/a through 3.0.5. This flaw is present in the plugin's implementation, allowing a malicious actor to craft requests that, when triggered by an authenticated administrator, execute unwanted actions under the administrator's session [1]. CSRF vulnerabilities arise when the application does not properly validate or include anti-CSRF tokens in state-changing requests, making it possible for an attacker to forge requests on behalf of a victim [1].

Exploitation

Requirements Exploitation requires user interaction from a privileged user, such as an administrator. The attacker must trick the victim into clicking a malicious link, visiting a crafted page, or submitting a form while logged into the WordPress admin panel. No direct authentication other than the victim's session is needed; the attacker leverages the victim's existing privileges to perform the unwanted actions [1].

Impact

A successful CSRF attack can force the targeted privileged user to perform unintended actions within the plugin's context, potentially leading to unauthorized modifications of mailing lists or settings. The CVSS v3 base score of 6.5 reflects the medium severity, indicating a notable risk for users of the plugin [1].

Mitigation

The vendor has released a patched version, and immediate action is recommended: update the plugin to a version newer than 3.0.5. If updating is not possible, users should contact their hosting provider or web developer for assistance. The vulnerability is known to be used in mass-exploit campaigns, underscoring the urgency of applying the fix [1].