CVE-2025-58809
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Cross-Site Request Forgery (CSRF) vulnerability in Nick Ciske To Lead For Salesforce salesforce-wordpress-to-lead allows Reflected XSS.This issue affects To Lead For Salesforce: from n/a through <= 2.7.3.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58809
EUVD
EUVD-2025-26969
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack to_lead_for_salesforce *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58809 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin "To Lead For Salesforce" up to version 2.7.3.9. It allows an attacker to trick authenticated users with higher privileges into performing unwanted actions on the site without their consent. This can lead to unauthorized operations being executed, potentially compromising the security of the site. The vulnerability is also related to Reflected XSS and falls under the OWASP Top 10 category A1: Broken Access Control. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform unauthorized actions on your site by exploiting authenticated users with higher privileges. This could lead to data compromise, unauthorized changes, or other malicious activities depending on the specific use case of the plugin. Since the plugin is abandoned and no official fix is available, the risk remains unless you replace the plugin or apply a virtual patch. Simply deactivating the plugin does not fully mitigate the risk. [1]

Detection Guidance

Detection of this CSRF vulnerability involves identifying if the WordPress 'To Lead For Salesforce' plugin version 2.7.3.9 or earlier is installed and active. Since this vulnerability allows attackers to trick authenticated users into executing unwanted actions, monitoring for unusual or unauthorized requests that perform state-changing operations could help. However, no specific detection commands or tools are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include replacing the vulnerable 'To Lead For Salesforce' plugin with an alternative plugin, as the original plugin is abandoned and has no official fix. Simply deactivating the plugin does not fully eliminate the risk unless a virtual patch (vPatch) is applied. Patchstack offers virtual patching solutions that can be used to mitigate this vulnerability in the absence of official updates. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart