CVE-2025-6040

The Easy Flashcards plugin for WordPress, in versions up to and including 0.1, contains a Cross-Site Request Forgery (CSRF) vulnerability on the ef_settings_submenu page. The plugin fails to include or properly validate a nonce when processing requests to this settings page, meaning an attacker can forge a request that appears to come from a legitimate administrator. The plugin has been closed as of June 13, 2025 due to a security issue [1].

No authentication is required to send the forged request, but exploitation requires social engineering: an attacker must trick a logged-in site administrator into clicking a crafted link or visiting a malicious page. The vulnerable endpoint processes setting updates without verifying the request's origin, allowing the attacker to modify plugin configuration and inject arbitrary web scripts (stored XSS) into the settings fields.

Successful exploitation enables an unauthenticated attacker to change plugin settings and inject malicious JavaScript or HTML. If the stored scripts are later rendered in the admin dashboard (e.g., on the settings page itself), the attacker could achieve persistent XSS within the admin context, potentially leading to further compromise of the WordPress site.

The vendor has closed the plugin and removed it from the WordPress Plugin Directory, effectively marking it as end-of-life [1]. Sites still running the plugin should immediately disable and delete it, then audit for any injected scripts or unauthorized configuration changes. No patched version exists.