CVE-2025-26572 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the jesseheap WP PHPList plugin, specifically within the phplist-form-integration module. WP PHPList is a WordPress plugin used to integrate PHPList mailing list functionality into WordPress sites. The vulnerability affects all versions up to and including 1.7. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged request to a web application, causing the application to perform unintended actions on behalf of the user. In this case, the lack of proper CSRF protections in the phplist-form-integration allows attackers to craft malicious web pages or links that, when visited by an authenticated user, can trigger unauthorized actions such as modifying mailing list subscriptions, changing configurations, or sending emails without the user's consent. The vulnerability does not require the attacker to have direct access or credentials, but it does require the victim to be authenticated on the target WordPress site. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability was published on February 13, 2025, and was assigned by Patchstack. The absence of patches or mitigations currently listed indicates that users should be vigilant and implement interim protective measures until an official fix is released.

The primary impact of this CSRF vulnerability is the potential unauthorized manipulation of mailing list data and configurations within affected WordPress sites using the WP PHPList plugin. Attackers could exploit this to alter subscription statuses, send unauthorized emails, or disrupt mailing list operations, leading to loss of data integrity and potential reputational damage. Organizations relying on WP PHPList for customer communications, marketing campaigns, or internal notifications could experience operational disruptions, unauthorized data changes, or misuse of their mailing infrastructure. This could also lead to compliance issues if unauthorized emails are sent or subscriber data is altered without consent. The vulnerability affects the availability and integrity of mailing list management but does not directly impact confidentiality unless combined with other vulnerabilities. Since exploitation requires the victim to be authenticated, the scope is limited to users with access to the WordPress admin or relevant user roles. However, given the widespread use of WordPress and mailing list plugins, the potential attack surface is significant.

To mitigate this vulnerability, organizations should immediately review and restrict user roles and permissions to minimize the number of users with access to the WP PHPList plugin features. Implementing web application firewall (WAF) rules to detect and block suspicious CSRF attempts can provide interim protection. Site administrators should enforce strict session management and encourage users to log out when not actively managing the site. Monitoring for unusual mailing list activity or configuration changes can help detect exploitation attempts early. Once available, promptly apply official patches or updates from the jesseheap WP PHPList plugin developers. Additionally, developers and site maintainers should ensure that all forms and state-changing requests include anti-CSRF tokens and validate the origin and referer headers to prevent forged requests. Regular security audits and penetration testing focused on plugin integrations can help identify similar vulnerabilities proactively.