Platform
wordpress
Component
listify
Fixed in
3.2.6
CVE-2025-59009 identifies a Cross-Site Request Forgery (CSRF) vulnerability within Astoundify Listify, a WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions ranging from 0.0.0 up to and including 3.2.5, and a patch is available in version 3.2.6.
A successful CSRF attack can lead to various malicious actions, depending on the user's privileges within Listify. An attacker could modify list settings, delete data, or even create new lists without the user's knowledge or consent. The impact is amplified if the compromised user has administrative access, potentially granting the attacker control over the entire Listify installation. This vulnerability highlights the importance of user awareness and proper security measures to prevent malicious actors from exploiting CSRF flaws.
CVE-2025-59009 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's impact is considered medium, reflecting the potential for unauthorized actions but requiring user interaction to trigger. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59009 is to immediately upgrade Astoundify Listify to version 3.2.6 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which Listify can load resources. Additionally, enabling CSRF protection mechanisms within WordPress itself, such as using a security plugin with CSRF protection, can provide an additional layer of defense. Regularly review Listify's configuration and user permissions to minimize potential damage.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59009 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Astoundify Listify versions 0.0.0–3.2.5, allowing attackers to perform unauthorized actions.
You are affected if you are using Astoundify Listify version 3.2.5 or earlier. Check your plugin version and upgrade immediately.
Upgrade Astoundify Listify to version 3.2.6 or later to resolve the vulnerability. Consider implementing CSP and CSRF protection as additional measures.
No active exploitation has been confirmed, but it's crucial to patch promptly to prevent potential attacks.
Refer to the Astoundify website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.