CVE-2025-47590: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in John Dagelmore's WPSpeed WordPress plugin, affecting versions through 2.6.5. The vulnerability was disclosed on May 7, 2025, and was initially reported by researcher Nguyen Xuan Chien on April 9, 2025 (Wiz, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. It is classified as CWE-352 (Cross-Site Request Forgery). The attack vector is network-based, with low attack complexity, requiring no privileges but necessitating user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (Wiz).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The impact is considered low severity, with primary concerns focused on integrity rather than confidentiality or availability (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects WPSpeed versions through 2.6.5, and users are advised to monitor for updates from the developer (Patchstack).