CVE-2025-6054

🗓️ 23 Jul 2025 02:24:37Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 18 Views🌐 WEB

YANewsflash plugin before 1.0.4 has Cross-Site Request Forgery allowing attacks via forged requests

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2025-6054	23 Jul 202506:38	–	circl
CNNVD	WordPress plugin YANewsflash 跨站请求伪造漏洞	23 Jul 202500:00	–	cnnvd
Cvelist	CVE-2025-6054 YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	23 Jul 202502:24	–	cvelist
EUVD	EUVD-2025-22404	3 Oct 202520:07	–	euvd
NVD	CVE-2025-6054	23 Jul 202503:15	–	nvd
Patchstack	WordPress YANewsflash plugin <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability	22 Jul 202522:23	–	patchstack
Positive Technologies	PT-2025-30512 · WordPress · Yanewsflash	23 Jul 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-6054	25 Jul 202502:29	–	redhatcve
Vulnrichment	CVE-2025-6054 YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	23 Jul 202502:24	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (July 21, 2025 to July 27, 2025)	31 Jul 202517:09	–	wordfence

Vulners

Node

stratosg yanewsflashRange≤1.0.3wordpress

[
  {
    "vendor": "stratosg",
    "product": "YANewsflash",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.0.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/171fe5db-0b43-47ba-b215-87ce9d7b5095
wordpress	www.wordpress.org/plugins/yanewsflash/

Parameter	Position	Path	Description	CWE
settings	request body	yanewsflash/yanewsflash.php	CSRF vulnerability due to missing/invalid nonce validation on yanewsflash/yanewsflash.php allowing unauthenticated attackers to update plugin settings via forged requests.	CWE-352

15 Apr 2026 00:35Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.16.1

EPSS0.00044

SSVC

CWE-352