CVE-2025-62956 HIGH

CVE-2025-62956: WordPress Reloadly plugin <= 2.0.1 - Cross Site Request Forgery (CSRF) vulnerability

Vendor Iseremet
Product Reloadly
Weakness CWE-352 · CSRF
Published October 27, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in iseremet Reloadly reloadly-topup-widget allows Stored XSS.This issue affects Reloadly: from n/a through <= 2.0.1.

Explanation of Vulnerability in Simple Terms

02Summary

Reloadly versions up to 2.0.1 contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unwanted actions on behalf of a logged-in user. The vulnerability requires user interaction—the victim must visit a malicious page or click a crafted link while authenticated. An attacker can read or modify data and disrupt service availability within the scope of the user's permissions.

What an attacker can do

03Attacker Capabilities

Perform unwanted actions on behalf of a logged-in user, including reading, modifying, or deleting data.

Potential impact on your site

04Site Impact

Users' accounts can be compromised to perform unauthorized transactions or data changes without their knowledge.

Conditions required to exploit

05Prerequisites

Victim must be logged into Reloadly and visit an attacker-controlled page or click a malicious link.

Key dates

06Disclosure timeline

October 27, 2025 CVE published
April 28, 2026 Record updated