CVE-2025-31859: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Feedbucket – Website Feedback Tool WordPress plugin, affecting all versions up to and including 1.0.6. The vulnerability was identified on April 1, 2025, and assigned CVE-2025-31859. The issue stems from missing or incorrect nonce validation on certain functions (WPScan, Patchstack).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) with a CVSS 3.1 base score of 5.4 (Medium), using the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L. The issue exists due to improper implementation of security controls, specifically the lack of proper nonce validation in certain functions (NVD, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. This could lead to potential data manipulation or unauthorized changes to the website's functionality (WPScan).

The vulnerability has been fixed in version 1.0.7 of the Feedbucket – Website Feedback Tool plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).