CVE-2026-25014

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw found in the Enter Addons plugin for WordPress, developed by themelooks. The issue affects all versions of the plugin from n/a through version 2.3.2. A CSRF vulnerability occurs when an application does not properly validate that a request was intentionally made by the authenticated user, allowing an attacker to craft malicious requests that appear legitimate [1].

To exploit this vulnerability, an attacker must trick a privileged user—such as an administrator—into performing an action like clicking a malicious link or submitting a crafted form while authenticated to the WordPress site. This requires user interaction from the victim, as the attack relies on the victim's active session. There is no indication that authentication is bypassed; rather, the attacker leverages the victim's existing privileges to execute unintended actions [1].

Successful exploitation could allow an attacker to force the higher-privileged user to perform actions under their current authentication, such as changing plugin settings or other unintended operations. The impact is limited to actions the victim user can perform, but could lead to unauthorized modifications within the WordPress admin context [1].

This issue has been assigned a CVSS v3 score of 4.3 (Medium). The vendor has released version 2.3.3, which patches the vulnerability. Users are strongly advised to update to version 2.3.3 or later. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not immediately possible, users should contact their hosting provider or web developer for assistance [1].