Plattform
wordpress
Komponente
wp-email-capture
Behoben in
3.12.6
CVE-2025-68529 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Email Capture WordPress plugin. A CSRF attack allows an attacker to trick a user into performing actions they did not intend to, potentially leading to unauthorized data modification or malicious form submissions. This vulnerability impacts versions 0.0.0 through 3.12.5 of the plugin, and a fix is available in version 3.12.6.
An attacker could exploit this CSRF vulnerability to perform actions as the logged-in user of the WordPress site. This could include creating, editing, or deleting email capture forms, modifying settings, or potentially accessing sensitive data stored within the plugin. The impact is amplified if users have administrative privileges, as an attacker could then gain control over the entire WordPress site. Successful exploitation does not require authentication beyond the user's existing session, making it a relatively easy attack to execute if the attacker can craft a convincing request.
This vulnerability was publicly disclosed on December 24, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's impact is considered medium due to the potential for unauthorized actions, but the lack of a readily available PoC reduces the immediate risk. It has not been added to the CISA KEV catalog.
Websites using the WP Email Capture plugin, particularly those with user accounts that have administrative privileges or access to sensitive data, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'wp_email_capture_process_form' /var/www/html/wp-content/plugins/wp-email-capture/• wordpress / composer / npm:
wp plugin list --status=active | grep wp-email-capture• wordpress / composer / npm:
wp plugin update wp-email-capture --version=3.12.6disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68529 is to upgrade the WP Email Capture plugin to version 3.12.6 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, using a WordPress security plugin with CSRF protection can provide an extra layer of defense. Verify the upgrade by attempting to submit a form with a crafted CSRF token after the update to ensure the vulnerability is no longer present.
Aktualisieren Sie auf Version 3.12.6 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68529 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Email Capture WordPress plugin, allowing attackers to perform actions as a logged-in user.
Yes, if you are using WP Email Capture versions 0.0.0 through 3.12.5, you are affected by this vulnerability.
Upgrade the WP Email Capture plugin to version 3.12.6 or later to resolve the vulnerability. Consider implementing CSP or a security plugin as an interim measure.
There is no confirmed active exploitation of CVE-2025-68529 at this time, but the vulnerability is publicly known.
Refer to the WP Email Capture plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.