CVE-2025-49077: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability affects ThemeHigh Dynamic Pricing and Discount Rules WordPress plugin versions up to and including 2.2.9. The vulnerability was discovered and reported on March 26, 2025, and publicly disclosed on May 30, 2025. The issue has been assigned CVE-2025-49077 with a CVSS v3.1 base score of 4.3 (Medium) (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the Dynamic Pricing and Discount Rules plugin. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

This vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. The impact is primarily focused on integrity with a low severity rating (Rapid7).

The vulnerability has been fixed in version 2.3.0 of the Dynamic Pricing and Discount Rules plugin. Users are advised to update to version 2.3.0 or later to remove the vulnerability. The security issue has been classified as having a low severity impact (Patchstack).