CVE-2025-49856
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Responsive Plus plugin (versions up to 3.2.2). It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions, such as changing plugin settings without their consent. The attacker does not need to be authenticated themselves to exploit this issue. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized changes in the plugin settings by tricking privileged users into executing actions they did not intend. This could potentially disrupt website functionality or security configurations. However, the impact is considered low severity with a CVSS score of 4.3, and the likelihood of exploitation is limited. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WordPress Responsive Plus plugin to version 3.2.3 or later, where the issue is fixed. As an immediate protective measure, you can use Patchstack's virtual patching (vPatching), which automatically mitigates the vulnerability even before official patches are released. [1]