Platform
wordpress
Component
enteraddons
Fixed in
2.3.3
CVE-2026-25014 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the themelooks Enter Addons WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions within the plugin's functionality. The vulnerability impacts versions from 0.0.0 up to and including 2.3.2, and a fix is available in version 2.3.3.
A successful CSRF attack could allow an attacker to modify plugin settings, delete data, or perform other actions as the logged-in user. The impact is directly proportional to the privileges of the user being targeted. For example, an administrator could be tricked into installing malicious code or granting excessive permissions. The blast radius is limited to the scope of actions available within the Enter Addons plugin itself, but this can still be significant depending on the plugin’s functionality and integration with other WordPress components. While no specific exploitation campaigns have been publicly reported, CSRF vulnerabilities are frequently exploited in targeted attacks.
CVE-2026-25014 was publicly disclosed on 2026-02-03. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk, suggesting that exploitation is possible but not highly likely without significant effort.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25014 is to immediately upgrade the Enter Addons plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the presence and validity of CSRF tokens. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this is a common attack vector for CSRF exploits. After upgrading, verify the plugin's functionality and security settings to ensure no unexpected behavior.
Update to version 2.3.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25014 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the themelooks Enter Addons WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Enter Addons WordPress plugin versions 0.0.0 through 2.3.2. Upgrade to 2.3.3 or later to mitigate the risk.
Upgrade the Enter Addons plugin to version 2.3.3 or later. Consider implementing a WAF with CSRF protection as a temporary workaround.
There are currently no publicly reported active exploitation campaigns, but CSRF vulnerabilities are frequently targeted.
Refer to the themelooks official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.