CVE-2025-9632: 
WordPress vulnerability analysis and mitigation

The PhpList Subber plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 1.1, discovered on September 11, 2025. The vulnerability exists due to missing or incorrect nonce validation in the bulkactionhandler function (NVD).

The vulnerability stems from improper security controls in the bulkactionhandler function, specifically related to missing or incorrect nonce validation. This security flaw allows unauthenticated attackers to trigger bulk synchronization of subscription forms through forged requests. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

The vulnerability allows unauthenticated attackers to trigger unauthorized bulk synchronization of subscription forms, but only if they can trick a site administrator into performing specific actions like clicking on a malicious link. This could potentially lead to unauthorized form modifications or synchronization operations (NVD).

Website administrators running the PhpList Subber plugin should update to a version newer than 1.1 once available. Until a patch is released, administrators should exercise caution when clicking on links while logged into their WordPress dashboard and consider temporarily disabling the plugin if the functionality is not critical (NVD).