Plataforma
wordpress
Componente
listify
Corrigido em
3.2.6
CVE-2025-59009 identifies a Cross-Site Request Forgery (CSRF) vulnerability within Astoundify Listify, a WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions ranging from 0.0.0 up to and including 3.2.5, and a patch is available in version 3.2.6.
A successful CSRF attack can lead to various malicious actions, depending on the user's privileges within Listify. An attacker could modify list settings, delete data, or even create new lists without the user's knowledge or consent. The impact is amplified if the compromised user has administrative access, potentially granting the attacker control over the entire Listify installation. This vulnerability highlights the importance of user awareness and proper security measures to prevent malicious actors from exploiting CSRF flaws.
CVE-2025-59009 was publicly disclosed on 2025-12-16. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's impact is considered medium, reflecting the potential for unauthorized actions but requiring user interaction to trigger. It is not currently listed on the CISA KEV catalog.
Websites utilizing Astoundify Listify, particularly those running older versions (0.0.0–3.2.5), are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise on one site could impact others. Users who frequently interact with Listify and are susceptible to phishing attacks are also at increased risk.
• wordpress / composer / npm:
grep -r 'Astoundify Listify' /var/www/html/
wp plugin list• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/listify/disclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-59009 is to immediately upgrade Astoundify Listify to version 3.2.6 or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which Listify can load resources. Additionally, enabling CSRF protection mechanisms within WordPress itself, such as using a security plugin with CSRF protection, can provide an additional layer of defense. Regularly review Listify's configuration and user permissions to minimize potential damage.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e implemente mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-59009 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Astoundify Listify versions 0.0.0–3.2.5, allowing attackers to perform unauthorized actions.
You are affected if you are using Astoundify Listify version 3.2.5 or earlier. Check your plugin version and upgrade immediately.
Upgrade Astoundify Listify to version 3.2.6 or later to resolve the vulnerability. Consider implementing CSP and CSRF protection as additional measures.
No active exploitation has been confirmed, but it's crucial to patch promptly to prevent potential attacks.
Refer to the Astoundify website and WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.