What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Cross Site Request Forgery.This issue affects Advanced Settings: from n/a through <= 3.1.1.
CVE-2025-58975
MEDIUM
CVE-2025-58975: WordPress Advanced Settings Plugin <= 3.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Advanced Settings versions 3.1.1 and earlier contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a site administrator, performs unauthorized actions within the plugin without the admin's knowledge. The vulnerability requires the admin to visit the attacker's page while logged into the site.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions in the plugin by tricking a logged-in admin into visiting a malicious webpage.
Potential impact on your site
04Site Impact
An attacker can modify plugin settings or perform other administrative actions if they trick your admin into clicking a malicious link.
Conditions required to exploit
05Prerequisites
Admin must be logged in and visit an attacker-controlled webpage; no special privileges or complex setup required.
Key dates
06Disclosure timeline
September 9, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2019-5430
CVE-2024-1719 Easy PayPal & Stripe Buy Now Button <= 1.8.3 & Contact Form 7 – PayPal & Stripe Add-on <= 2.1 - Cross-Site Request Forgery to Settings Update
CVE-2023-50873 WordPress Add Any Extension to Pages Plugin <= 1.4 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2023-37995 WordPress WP-CopyProtect [Protect your blog posts] Plugin <= 3.1.0 is vulnerable to Cross Site Request Forgery (CSRF)
CVE-2025-23081 Various security vulnerabilities in Extension:DataTransfer
