CVE-2025-49285
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress plugin "WP Cookie Notice for GDPR, CCPA & ePrivacy Consent" up to version 3.8.0. It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent, potentially compromising site security. The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to execute unauthorized actions on your website through tricking privileged users, which may lead to compromised site security. However, the risk is considered low severity with a CVSS score of 4.3, and exploitation is unlikely. It is recommended to update the plugin to version 3.8.1 or later to mitigate this risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves checking the version of the WordPress plugin "WP Cookie Notice for GDPR, CCPA & ePrivacy Consent" installed on your system. If the version is 3.8.0 or earlier, it is vulnerable. You can detect the plugin version by running WordPress CLI commands such as `wp plugin list` to list installed plugins and their versions. Additionally, monitoring for unusual or unauthorized actions performed by authenticated users may indicate exploitation attempts. There are no specific network commands provided for direct detection of this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the "WP Cookie Notice for GDPR, CCPA & ePrivacy Consent" plugin to version 3.8.1 or later, where the vulnerability is fixed. As an interim measure, Patchstack offers virtual patching (vPatching) that can automatically mitigate the vulnerability before official patches are applied. Users should also maintain updated plugins and consider professional incident response if a compromise is suspected. [1]