WordPress JNews Paywall प्लगइन < 12.0.1 - क्रॉस साइट रिक्वेस्ट फोर्जरी (CSRF) भेद्यता

The CSRF vulnerability in JNews Paywall allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could enable an attacker to modify paywall settings, access restricted content, or perform other actions within the plugin's scope, all without the user's knowledge or consent. The impact is amplified if the plugin manages sensitive user data or financial transactions, as an attacker could potentially manipulate these processes. While the CVSS score is medium, the potential for unauthorized actions within a WordPress environment warrants prompt attention.

Websites using the JNews Paywall plugin, particularly those with sensitive content or user data managed through the plugin, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk if users are not proactively updating their plugins.

• wordpress / composer / npm:

grep -r 'jnews_paywall_settings' /var/www/html/*

• wordpress / composer / npm:

wp plugin list | grep JNews Paywall

• wordpress / composer / npm:

wp plugin update --all

1. 2025-12-09Disclosure

   disclosure

1. आरक्षित2025-12-09
2. प्रकाशित2025-12-09
3. संशोधित2026-04-28
4. EPSS अद्यतन2026-03-23

The primary mitigation for CVE-2025-67591 is to immediately upgrade the JNews Paywall plugin to version 12.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the authenticity of user actions. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can increase the likelihood of CSRF exploitation.