CVE-2025-5937
MEDIUMVideowhisper Micropayments < 3.2.1 - CSRF
Title source: ruleDescription
The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References (3)
Scores
CVSS v3
4.3
EPSS
0.0002
EPSS Percentile
5.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Classification
CWE
CWE-352
Status
published
Affected Products (1)
videowhisper/micropayments
< 3.2.1
Timeline
Published
Jun 28, 2025
Tracked Since
Feb 18, 2026