CVE-2025-32546: 
WordPress vulnerability analysis and mitigation

CVE-2025-32546 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WordPress plugin 'All push notification for WP' affecting versions up to 1.5.3. The vulnerability was publicly disclosed on April 14, 2025, and allows for Reflected Cross-Site Scripting (XSS) attacks (NVD, WPScan).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to perform CSRF attacks that can lead to reflected XSS exploitation (NVD, Patchstack).

The vulnerability enables unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on malicious links. This can lead to compromised user sessions, data theft, and potential site manipulation (WPScan).

Currently, there is no official fix available for this vulnerability. Website administrators are advised to consider removing and replacing the plugin as it appears to be abandoned. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).