CVE-2025-59572: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress WorkScout-Core plugin affecting all versions prior to 1.7.06. The vulnerability was reported on August 24, 2025, and publicly disclosed on September 22, 2025. This security issue was assigned CVE-2025-59572 and affects the purethemes WorkScout-Core plugin for WordPress (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on a function within the WorkScout-Core plugin. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (Rapid7, Patchstack).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. This could potentially lead to unauthorized changes or actions being executed with administrator privileges (Rapid7).

The vulnerability has been fixed in version 1.7.06 of the WorkScout-Core plugin. Users are advised to update to version 1.7.06 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).