Platform
wordpress
Component
mergado-marketing-pack
Fixed in
4.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Mergado Pack WordPress plugin, affecting versions from 0.0.0 through 4.2.1. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or data manipulation within the plugin's functionality. The vulnerability was published on December 31, 2025, and a fix is available in a later version of the plugin.
The CSRF vulnerability in Mergado Pack allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify plugin settings, create or delete products, or perform other actions depending on the plugin's functionality and user permissions. This could result in data corruption, unauthorized access to sensitive information, or even complete compromise of the WordPress site. The impact is amplified if the plugin handles critical e-commerce data or integrates with other systems.
The vulnerability is publicly disclosed and documented in CVE-2025-62089. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. As of the publication date, there are no known public proof-of-concept exploits. It is not currently listed on CISA KEV. Active exploitation is not confirmed, but the public disclosure makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62089 is to upgrade the Mergado Pack plugin to a version that includes the security fix. If upgrading immediately is not possible due to compatibility issues or breaking changes, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive forms and actions within the plugin. Web Application Firewalls (WAFs) can also be configured to filter out malicious CSRF requests. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack on a test environment and verifying that the request is blocked or fails.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62089 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Mergado Pack WordPress plugin, allowing attackers to perform unauthorized actions.
Yes, if you are using Mergado Pack versions 0.0.0 through 4.2.1, you are vulnerable to this CSRF attack.
Upgrade the Mergado Pack plugin to a version containing the security fix. If immediate upgrade is not possible, implement temporary CSRF token protections.
As of the publication date, there are no confirmed reports of active exploitation, but the public disclosure makes it a potential target.
Refer to the Mergado Pack plugin documentation and website for official advisories and updates related to this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.