Platform
wordpress
Component
wp-flashy-marketing-automation
Fixed in
2.0.9
CVE-2025-62873 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the WP Flashy Marketing Automation plugin. This vulnerability allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of marketing automation configurations. The vulnerability affects versions from 0.0.0 through 2.0.8, and a patch is available in version 2.0.9.
A successful CSRF attack could allow an attacker to modify marketing automation workflows, add or remove subscribers, or even delete entire campaigns without the user's knowledge or consent. This could result in significant disruption to marketing efforts, data breaches if sensitive information is exposed, and reputational damage. The attacker needs to craft a malicious request and trick the user into clicking a link or visiting a compromised page while logged into the WordPress site with the Flashyapp plugin installed. The impact is amplified if the plugin is used for critical marketing processes or handles sensitive user data.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's CVSS score of 4.3 (Medium) indicates a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the WP Flashy Marketing Automation plugin to version 2.0.9 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which the plugin can load resources. Additionally, implement strict user authentication and authorization controls to minimize the potential impact of a successful CSRF attack. Review user roles and permissions to ensure users only have the necessary access. Consider using a WordPress security plugin with CSRF protection features.
Update to version 2.0.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62873 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Flashy Marketing Automation plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WP Flashy Marketing Automation versions 0.0.0 through 2.0.8. Upgrade to 2.0.9 or later to mitigate the risk.
Upgrade the WP Flashy Marketing Automation plugin to version 2.0.9 or later. Consider implementing a Content Security Policy (CSP) as an interim measure.
There is no confirmed active exploitation of CVE-2025-62873 at this time, but the vulnerability is publicly known.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.