CSRF in Publishpress Capabilities Pro
CVE-2021-25032
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.819 (99.2th percentile) — read the EPSS interpretation.
Affected products
- Unknown Publishpress Capabilities Pro — versions 2.0, 2.3.1
- Unknown Publishpress Capabilities – User Role Access, Editor Permissions, Admin Menus — versions 2.0, 2.3.1
Weakness classification (CWE)
Public proof-of-concept exploits
References
Frequently asked questions
- What is CVE-2021-25032?
- CVE-2021-25032 is a vulnerability in Publishpress Capabilities Pro, classified under Cross-Site Request Forgery (CSRF). Published 2022-01-10.
- Is CVE-2021-25032 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.