CVE-2025-25121
Published: 03 March 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-25121 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Theme Options Z WordPress plugin (theme-options-z) developed by shyammakwana. This issue affects the plugin from n/a through version 1.4 inclusive. The vulnerability was published on 2025-03-03 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The vulnerability enables exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and results in a changed scope (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). Any remote attacker can exploit it by tricking an authenticated user into performing unintended actions via a forged request, potentially allowing unauthorized modifications within the theme options functionality.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/theme-options-z/vulnerability/wordpress-wp-spell-check-plugin-9-21-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF vuln in public-facing WordPress plugin directly maps to T1190 for exploitation of web apps; requires tricking user via forged request typically delivered as malicious link (T1204.001).