CVE-2025-62089

The Mergado Pack plugin (mergado-marketing-pack) for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions from n/a through 4.2.1 [1]. This issue stems from missing or insufficient CSRF token validation, allowing an attacker to trick a logged-in administrator into performing unintended actions [1].

Exploitation requires user interaction: a privileged user must click a malicious link or submit a crafted form while authenticated to the WordPress dashboard [1]. The attack can be initiated by a low-privileged role, but the actual CSRF payload executes with the victim's privileges [1]. No other prerequisites such as network access are specified beyond the need for the victim to be logged in.

Successful exploitation could allow an attacker to force higher-privileged users (e.g., administrators) to execute unwanted actions under their current session, such as changing plugin settings, modifying content, or other configuration changes [1]. The CVSS v3 base score is 4.3 (Medium), emphasizing the need for user interaction and the potential for limited impact [1].

PatchStack recommends updating the plugin immediately to a version higher than 4.2.1 as a mitigation [1]. No workarounds are listed; users unable to update should seek assistance from their hosting provider or web developer [1]. This vulnerability is noted as being used in mass-exploit campaigns, stressing the urgency of patching [1].