CVE-2025-62873

The WP Flashy Marketing Automation plugin for WordPress, up to version 2.0.8, is vulnerable to Cross-Site Request Forgery (CSRF). The flaw exists because the plugin fails to implement adequate CSRF protection mechanisms, such as nonce verification, on sensitive actions. This lack of validation makes it possible for an attacker to trick a logged-in administrator into unknowingly performing actions they did not intend [1].

The attack requires user interaction—specifically, a privileged user must click a malicious link, visit a crafted page, or submit a form while authenticated. An attacker can craft a request targeting the plugin's administrative functions and deliver it via social engineering, such as a link in an email or a hidden element on a website. Successful exploitation depends on the victim performing the action while their session is active [1].

If exploited, an attacker could force a higher-privileged user (such as an administrator) to execute unwanted actions under their current authentication. This could include modifying plugin settings, altering marketing automation rules, or performing other state-changing operations that compromise the integrity of the site's marketing functionality. The CVSSv3 score is 4.3 (Medium), reflecting the need for user interaction and the contextual impact [1].

The vulnerability has been addressed in version 2.0.9. Users are strongly advised to update to this latest version or enable auto-updates for vulnerable plugins. Patchstack has noted that while this specific issue has low severity and is unlikely to be mass-exploited, immediate action is recommended to prevent potential targeted attacks [1].