CVE-2025-31616

CVE-2025-31616 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the AdminGeekZ Varnish WordPress plugin known as varnish-wp. This issue affects Varnish WordPress versions from n/a through 1.7 inclusive. The vulnerability was published on 2025-03-31 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and scope change with low impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this CSRF vulnerability by tricking a victim—typically an authenticated WordPress administrator—into performing an unintended action, such as submitting a malicious request via a crafted webpage, email link, or image. Successful exploitation requires user interaction but no special privileges from the attacker. It enables the attacker to act as the victim, potentially leading to stored cross-site scripting (XSS) as indicated in related advisories.

Patchstack has documented this as a CSRF-to-stored XSS vulnerability specifically in Varnish WordPress plugin version 1.7, with details available in their vulnerability database.