CVE-2025-58219
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in LIJE Show Pages List show-pages-list allows Cross Site Request Forgery.This issue affects Show Pages List: from n/a through <= 1.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress show_pages_list_plugin 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Show Pages List Plugin (up to version 1.2.0). It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent. Essentially, the attacker exploits the trust a site has in the user's browser to execute actions that compromise site security. [1]

Impact Analysis

The vulnerability can lead to unauthorized actions being performed on your WordPress site by tricking privileged users into executing them unknowingly. This can compromise site security by allowing attackers to manipulate site content or settings. Although the severity is considered low (CVSS 4.3), the risk persists because there is no official patch and the plugin is abandoned. Deactivating the plugin alone does not fully mitigate the risk without additional virtual patching. [1]

Detection Guidance

Detection of this CSRF vulnerability involves monitoring for suspicious or unauthorized requests that trigger actions in the Show Pages List plugin without proper user intent. Since the vulnerability requires no authentication to exploit and targets higher privileged users, network or system detection could include inspecting HTTP requests for unexpected POST or GET requests to the plugin's endpoints that change settings or perform actions. Specific commands are not provided in the resources, but general approaches include using web application firewalls (WAF) with CSRF detection rules, analyzing web server logs for unusual requests, or employing tools like Burp Suite or OWASP ZAP to simulate CSRF attacks against the plugin endpoints to confirm vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include removing and replacing the Show Pages List plugin, as no official patch or fix is available and the plugin is abandoned. Applying a virtual patch (vPatch) is recommended to protect the site in the absence of an official fix. Deactivating the plugin alone does not eliminate the risk. Additionally, implementing general CSRF protections such as enabling CSRF tokens, restricting user permissions, and using a web application firewall can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart