CVE-2025-25107

CVE-2025-25107 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the sainwp OneStore Sites WordPress plugin (onestore-sites). This issue affects all versions from n/a through 0.1.1 inclusive. The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction requirement, and changed scope with high impacts across confidentiality, integrity, and availability.

An attacker can exploit this CSRF flaw remotely without authentication by tricking a victim—typically an authenticated WordPress administrator—into interacting with a malicious webpage, such as clicking a crafted link. This forces the victim's browser to submit unauthorized requests to the vulnerable plugin, enabling arbitrary plugin installation on the target site. Such installation could allow full site compromise, code execution, or further persistence, aligning with the vulnerability's high-impact CVSS metrics.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/onestore-sites/vulnerability/wordpress-onestore-sites-plugin-0-1-1-csrf-to-arbitrary-plugin-installation-vulnerability?_s_id=cve) describes the flaw as a CSRF leading to arbitrary plugin installation in OneStore Sites version 0.1.1. Practitioners should review this reference for detailed technical analysis, affected configurations, and recommended mitigations, such as updating the plugin or implementing CSRF protections.