CVE-2025-25101
Published: 07 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-25101 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Munk Sites WordPress plugin by MetricThemes. Published on 2025-02-07, it affects all versions of the plugin from n/a through 1.0.7. The vulnerability enables CSRF attacks due to insufficient protections in the plugin's request handling.
With a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), the issue allows unauthenticated remote attackers to exploit it with low complexity by tricking authenticated users—typically administrators—into interacting with a malicious webpage, such as clicking a forged link. Successful exploitation leads to arbitrary plugin installation on the target WordPress site, granting high impacts on confidentiality, integrity, and availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/munk-sites/vulnerability/wordpress-munk-sites-plugin-1-0-7-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve provides details on this CSRF-to-arbitrary-plugin-installation vulnerability in Munk Sites version 1.0.7, including mitigation guidance for affected WordPress installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vulnerability in public-facing WordPress plugin enables exploitation via malicious link to achieve arbitrary plugin installation.