CVE-2025-58219
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | show_pages_list_plugin | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress Show Pages List Plugin (up to version 1.2.0). It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent. Essentially, the attacker exploits the trust a site has in the user's browser to execute actions that compromise site security. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized actions being performed on your WordPress site by tricking privileged users into executing them unknowingly. This can compromise site security by allowing attackers to manipulate site content or settings. Although the severity is considered low (CVSS 4.3), the risk persists because there is no official patch and the plugin is abandoned. Deactivating the plugin alone does not fully mitigate the risk without additional virtual patching. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this CSRF vulnerability involves monitoring for suspicious or unauthorized requests that trigger actions in the Show Pages List plugin without proper user intent. Since the vulnerability requires no authentication to exploit and targets higher privileged users, network or system detection could include inspecting HTTP requests for unexpected POST or GET requests to the plugin's endpoints that change settings or perform actions. Specific commands are not provided in the resources, but general approaches include using web application firewalls (WAF) with CSRF detection rules, analyzing web server logs for unusual requests, or employing tools like Burp Suite or OWASP ZAP to simulate CSRF attacks against the plugin endpoints to confirm vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing and replacing the Show Pages List plugin, as no official patch or fix is available and the plugin is abandoned. Applying a virtual patch (vPatch) is recommended to protect the site in the absence of an official fix. Deactivating the plugin alone does not eliminate the risk. Additionally, implementing general CSRF protections such as enabling CSRF tokens, restricting user permissions, and using a web application firewall can help reduce risk. [1]