CVE-2025-67591

Vulnerability

Overview Cross-Site Request Forgery (CSRF) vulnerability in the JNews Paywall plugin for WordPress (versions from n/a through <12.0.1) allows attackers to perform unauthorized actions on behalf of authenticated users. The issue stems from missing or insufficient CSRF token validation, enabling malicious requests to be processed without user consent [1].

Exploitation

Exploitation requires a privileged user to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. No authentication is needed for the attacker, but the victim must have an active session with the target WordPress site. The attack complexity is low, and the attack vector is network-based [1].

Impact

Successful exploitation could force a higher privileged user to execute unintended actions under their current authentication. This may include modifying plugin settings, disabling paywall features, or performing other administrative tasks, potentially compromising the integrity of the website [1].

Mitigation

The vulnerability has been patched in version 12.0.1 of the JNews Paywall plugin. Users are strongly advised to update to this version or later. Patchstack users can enable automatic updates for vulnerable plugins to ensure protection [1].