CVE-2025-22556

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 32.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in WP CMS Ninja Norse Rune Oracle Plugin norse-runes-oracle allows Cross Site Request Forgery.This issue affects Norse Rune Oracle Plugin: from n/a through <= 1.4.2.

Security Summary

CVE-2025-22556 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Norse Rune Oracle plugin (norse-runes-oracle) for WordPress. The issue affects the plugin from unknown initial versions through version 1.4.2 inclusive. Published on January 7, 2025, it carries a CVSS v3.1 base score of 7.1, reflecting network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts to confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this CSRF vulnerability over the network by tricking authenticated users into performing unintended actions via malicious requests, such as from a crafted webpage. Exploitation requires user interaction, like visiting a malicious site while logged into a vulnerable WordPress site with the plugin enabled. Successful attacks enable limited disruption, including low-level unauthorized modifications or disclosures within the affected scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/norse-runes-oracle/vulnerability/wordpress-norse-rune-oracle-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/norse-runes-oracle/vulnerability/wordpress-norse-rune-oracle-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com