CVE-2025-10691 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the yudiz Easy Email Subscription plugin for WordPress, affecting all versions up to and including 1.3. The vulnerability stems from the absence or improper implementation of nonce validation in the show_editsub_page() function, which is responsible for managing subscriber edits. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Due to this missing validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (for example, by clicking a specially crafted link), results in the deletion of arbitrary subscribers without the administrator's explicit consent. This attack does not require the attacker to be authenticated, but it does require user interaction by the administrator. The vulnerability impacts the integrity of subscriber data by enabling unauthorized deletion but does not affect confidentiality or availability. The CVSS v3.1 score of 4.3 reflects the attack vector being network-based, low attack complexity, no privileges required, but requiring user interaction, and limited impact to integrity only. No public exploits have been reported yet, and no patches are currently linked, indicating that mitigation may rely on plugin updates or manual nonce implementation. This vulnerability is particularly relevant for organizations relying on WordPress-based email subscription management, as subscriber data loss can disrupt marketing efforts and customer engagement.

For European organizations, the primary impact of this vulnerability is the potential unauthorized deletion of email subscribers, which can lead to loss of valuable customer or user contact information and disrupt marketing or communication campaigns. While the vulnerability does not compromise sensitive subscriber data confidentiality or system availability, it undermines data integrity and trust in the subscription management process. Organizations with large subscriber bases or those that rely heavily on email marketing may experience operational setbacks and reputational damage if subscriber lists are manipulated. Additionally, repeated exploitation could cause administrative overhead to restore lost data and investigate incidents. Since exploitation requires tricking an administrator into clicking a malicious link, organizations with less security awareness or insufficient user training are at higher risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk of future attacks, especially as the vulnerability is publicly disclosed. European entities using this plugin should consider the impact on GDPR compliance, as subscriber data integrity is critical for lawful data processing and communication consent management.

To mitigate CVE-2025-10691, European organizations should: 1) Monitor for and apply any official patches or updates released by yudiz promptly once available. 2) If no patch is available, implement manual nonce validation in the show_editsub_page() function to ensure all state-changing requests require a valid security token. 3) Educate and train WordPress administrators on the risks of CSRF and the importance of not clicking suspicious or unsolicited links, especially when logged into administrative accounts. 4) Employ web application firewalls (WAFs) with CSRF protection rules to detect and block forged requests targeting the plugin’s endpoints. 5) Limit administrative access to trusted networks or use multi-factor authentication to reduce the risk of compromised admin sessions. 6) Regularly back up subscriber data to enable recovery in case of unauthorized deletions. 7) Conduct security audits of WordPress plugins to identify and remediate similar vulnerabilities proactively. These measures combined will reduce the risk of exploitation and limit potential damage.