FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.), CVE-2025-11976
- CVE, Research URL
- Published on
- Oct 25, 2025
- Research Description
- The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 1.1.23.1.
- Status
-
vulnerable
| Previous vulnerability researches |
|---|
| Post Grid for Elementor & Product Grid | PowerGrids (513b8cac04964f7c742c50353b32f41d519b21a5) , Jun 07, 2024 |