Platform
wordpress
Component
jnews-paywall
Fixed in
12.0.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the JNews Paywall plugin for WordPress. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or access. The vulnerability affects versions from 0.0.0 through 12.0.1. A patch has been released in version 12.0.1.
The CSRF vulnerability in JNews Paywall allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could enable an attacker to modify paywall settings, access restricted content, or perform other actions within the plugin's scope, all without the user's knowledge or consent. The impact is amplified if the plugin manages sensitive user data or financial transactions, as an attacker could potentially manipulate these processes. While the CVSS score is medium, the potential for unauthorized actions within a WordPress environment warrants prompt attention.
This vulnerability was publicly disclosed on 2025-12-09. Currently, there are no known active campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog as of this date.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67591 is to immediately upgrade the JNews Paywall plugin to version 12.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the authenticity of user actions. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can increase the likelihood of CSRF exploitation.
Update to version 12.0.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67591 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the JNews Paywall WordPress plugin, allowing attackers to perform unauthorized actions.
If you are using JNews Paywall versions 0.0.0 through 12.0.1, you are affected by this vulnerability.
Upgrade the JNews Paywall plugin to version 12.0.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation targeting CVE-2025-67591.
Refer to the official JNews Paywall website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.