CVE-2025-26963

CVE-2025-26963 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the ClickWhale WordPress plugin. It affects all versions of ClickWhale from n/a through 2.4.3. Published on 2025-02-25, the vulnerability enables CSRF attacks against the plugin without proper token validation.

The vulnerability has a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction (such as clicking a malicious link). An attacker can exploit it by tricking an authenticated user, typically an administrator, into submitting a forged request via a malicious website, resulting in low-impact integrity and availability violations, such as unauthorized settings changes.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/clickwhale/vulnerability/wordpress-clickwhale-plugin-2-4-3-cross-site-request-forgery-csrf-to-settings-change-vulnerability?_s_id=cve details the issue as a CSRF vulnerability in ClickWhale 2.4.3 that enables settings changes. Security practitioners should consult the advisory for patch availability and mitigation guidance.