CVE-2025-53268
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in the WordPress plugin "Import external attachments" up to version 1.5.12. It allows an attacker to trick authenticated users with higher privileges into performing unauthorized actions on the site without their consent, potentially compromising site security. The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a low severity score of 4.3. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to execute unauthorized actions on your WordPress site through the vulnerable plugin when a privileged user is tricked into performing these actions. This can lead to compromised site security and potentially unauthorized changes or operations within your site. Since the plugin is abandoned and no official fix is available, the risk persists unless mitigated by virtual patching or removing the plugin. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatch) solutions offered by Patchstack to protect against automated attacks exploiting this vulnerability. Since the plugin is abandoned and no official fix is available, it is recommended to remove and replace the 'Import external attachments' plugin with a secure alternative. Simply deactivating the plugin does not eliminate the risk. [1]