平台
wordpress
组件
jnews-paywall
修复版本
12.0.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the JNews Paywall plugin for WordPress. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or access. The vulnerability affects versions from 0.0.0 through 12.0.1. A patch has been released in version 12.0.1.
The CSRF vulnerability in JNews Paywall allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successful exploitation could enable an attacker to modify paywall settings, access restricted content, or perform other actions within the plugin's scope, all without the user's knowledge or consent. The impact is amplified if the plugin manages sensitive user data or financial transactions, as an attacker could potentially manipulate these processes. While the CVSS score is medium, the potential for unauthorized actions within a WordPress environment warrants prompt attention.
This vulnerability was publicly disclosed on 2025-12-09. Currently, there are no known active campaigns targeting this specific vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog as of this date.
Websites using the JNews Paywall plugin, particularly those with sensitive content or user data managed through the plugin, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk if users are not proactively updating their plugins.
• wordpress / composer / npm:
grep -r 'jnews_paywall_settings' /var/www/html/*• wordpress / composer / npm:
wp plugin list | grep JNews Paywall• wordpress / composer / npm:
wp plugin update --alldisclosure
漏洞利用状态
EPSS
0.02% (5% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-67591 is to immediately upgrade the JNews Paywall plugin to version 12.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the authenticity of user actions. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites, as this can increase the likelihood of CSRF exploitation.
更新至 12.0.1 版本,或更新的修复版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-67591 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the JNews Paywall WordPress plugin, allowing attackers to perform unauthorized actions.
If you are using JNews Paywall versions 0.0.0 through 12.0.1, you are affected by this vulnerability.
Upgrade the JNews Paywall plugin to version 12.0.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation targeting CVE-2025-67591.
Refer to the official JNews Paywall website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。