CVE-2025-62956: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the iseremet Reloadly reloadly-topup-widget WordPress plugin, which also allows for Stored XSS attacks. The vulnerability affects Reloadly versions up to and including 2.0.1. This security issue was initially disclosed on October 15, 2025, and was assigned the identifier CVE-2025-62956 (NVD, Wordfence).

The vulnerability has received varying severity assessments from different organizations. CISA-ADP assigned it a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a network-attackable vulnerability with low attack complexity, requiring no privileges but some user interaction. The vulnerability has been categorized under CWE-352 (Cross-Site Request Forgery) (NVD).

Based on the CVSS scoring and vulnerability type, this security flaw could potentially allow attackers to perform unauthorized actions on behalf of authenticated users and inject malicious stored cross-site scripting payloads. The high CVSS score indicates potential for significant impact on confidentiality, integrity, and availability of the affected systems (NVD).