What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in WPDirectoryKit Sweet Energy Efficiency sweet-energy-efficiency allows Stored XSS.This issue affects Sweet Energy Efficiency: from n/a through <= 1.0.8.
CVE-2025-58262
HIGH
CVE-2025-58262: WordPress Sweet Energy Efficiency plugin <= 1.0.8 - Cross Site Request Forgery (CSRF) vulnerability
CVSS base score
7.1/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Explanation of Vulnerability in Simple Terms
02Summary
Sweet Energy Efficiency versions 1.0.8 and earlier contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without the admin's knowledge. The vulnerability requires the victim to visit the attacker's page while authenticated to the WordPress site.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions on the site by tricking an authenticated admin into visiting a malicious webpage.
Potential impact on your site
04Site Impact
An attacker can modify site settings, create accounts, or change content if an admin visits a malicious link while logged in.
Conditions required to exploit
05Prerequisites
Site admin must be logged in and visit an attacker-controlled webpage; no special privileges or direct site access required.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2023-45268 WordPress Hitsteps Web Analytics Plugin <= 5.86 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2023-47790 WordPress Pz-LinkCard Plugin <= 2.4.8 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2024-31364 WordPress ELEX WooCommerce Dynamic Pricing and Discounts plugin <= 2.1.2 - Cross Site Request Forgery (CSRF) vulnerability
CVE-2020-7534
CVE-2023-4246 GiveWP <= 2.33.3 - Cross-Site Request Forgery to plugin installation
