CVE-2025-10691: 
WordPress vulnerability analysis and mitigation

The Easy Email Subscription plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.3, identified as CVE-2025-10691. The vulnerability was discovered and disclosed on November 5, 2025. The issue affects the show_editsub_page() function due to missing or incorrect nonce validation (NVD).

The vulnerability stems from improper implementation of security controls in the show_editsub_page() function, specifically the absence of proper nonce validation. The severity is rated as MEDIUM with a CVSS v3.1 base score of 4.3 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (NVD).

When exploited, this vulnerability allows unauthenticated attackers to delete arbitrary subscribers from the system. The impact is limited to data manipulation, specifically the unauthorized deletion of email subscription records, but requires user interaction in the form of tricking a site administrator into performing specific actions (NVD).

A security update has been released in version 1.3.1 of the Easy Email Subscription plugin. Site administrators are advised to update to this latest version to address the vulnerability (WordPress Plugin Repository).