Platform
wordpress
Component
jnews-paywall
Opgelost in
12.0.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the JNews Paywall plugin for WordPress. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or access. The vulnerability affects versions from 0.0.0 through 12.0.1. A patch has been released in version 12.0.1.
The CSRF vulnerability in JNews Paywall allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could enable an attacker to modify paywall settings, access restricted content, or perform other actions within the plugin's scope, all without the user's knowledge or consent. The impact is amplified if the plugin manages sensitive user data or financial transactions, as an attacker could potentially manipulate these processes. While the CVSS score is medium, the potential for unauthorized actions within a WordPress environment warrants prompt attention.
This vulnerability was publicly disclosed on 2025-12-09. Currently, there are no known active campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog as of this date.
Websites using the JNews Paywall plugin, particularly those with sensitive content or user data managed through the plugin, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk if users are not proactively updating their plugins.
• wordpress / composer / npm:
grep -r 'jnews_paywall_settings' /var/www/html/*• wordpress / composer / npm:
wp plugin list | grep JNews Paywall• wordpress / composer / npm:
wp plugin update --alldisclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-67591 is to immediately upgrade the JNews Paywall plugin to version 12.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the authenticity of user actions. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can increase the likelihood of CSRF exploitation.
Updateer naar versie 12.0.1, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-67591 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the JNews Paywall WordPress plugin, allowing attackers to perform unauthorized actions.
If you are using JNews Paywall versions 0.0.0 through 12.0.1, you are affected by this vulnerability.
Upgrade the JNews Paywall plugin to version 12.0.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation targeting CVE-2025-67591.
Refer to the official JNews Paywall website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.