CVE-2025-10691 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the Easy Email Subscription plugin for WordPress, developed by yudiz. This vulnerability affects all versions up to and including 1.3. The root cause is the absence or improper implementation of nonce validation in the show_editsub_page() function, which is responsible for managing subscriber edits. Nonces are security tokens used to verify that requests originate from legitimate users and not from malicious third parties. Without proper nonce checks, attackers can craft malicious requests that, when executed by an authenticated site administrator (e.g., by clicking a specially crafted link), result in the deletion of arbitrary subscribers from the mailing list. This attack vector does not require the attacker to be authenticated or have privileges on the site, but it does require the administrator to perform an action that triggers the forged request. The vulnerability impacts the integrity of subscriber data by enabling unauthorized deletion but does not compromise confidentiality or availability of the system. The CVSS v3.1 base score is 4.3, indicating a medium severity level, with attack vector as network, low attack complexity, no privileges required, user interaction required, and scope unchanged. No public exploits have been reported yet, but the vulnerability poses a risk to sites relying on this plugin for email subscription management. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for administrators to apply mitigations or monitor for updates.

The primary impact of CVE-2025-10691 is on the integrity of subscriber data within affected WordPress sites using the Easy Email Subscription plugin. Attackers can cause unauthorized deletion of subscribers, potentially disrupting communication channels, marketing campaigns, and customer engagement efforts. This could lead to loss of subscriber trust, reduced marketing effectiveness, and administrative overhead to restore subscriber lists. Since the vulnerability requires an administrator to interact with a malicious request, social engineering is a key component, increasing the risk of targeted attacks against site administrators. There is no direct impact on system availability or confidentiality, but the integrity compromise can indirectly affect business operations and reputation. Organizations with large subscriber bases or those relying heavily on email marketing may experience significant operational disruption. Additionally, attackers could use this vulnerability as part of a broader attack chain to weaken organizational defenses or cause reputational damage.

To mitigate CVE-2025-10691, organizations should immediately verify if they are using the Easy Email Subscription plugin version 1.3 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators can implement manual nonce validation in the show_editsub_page() function to ensure that all state-changing requests are protected against CSRF. Additionally, administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or messaging platforms. Employing web application firewalls (WAFs) with rules to detect and block CSRF attempts targeting this plugin can provide an additional layer of defense. Regularly backing up subscriber data will help recover from any unauthorized deletions. Monitoring administrative actions and logs for unusual activity can aid in early detection of exploitation attempts. Finally, limiting administrative access to trusted networks and using multi-factor authentication can reduce the risk of successful social engineering attacks.