Plattform
wordpress
Komponente
peer-publish
Behoben in
1.0.1
CVE-2025-12587 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Peer Publish plugin for WordPress. This flaw allows unauthenticated attackers to manipulate website configurations, such as adding, modifying, or deleting websites, if they can trick an administrator into performing actions via a forged request. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending.
The core impact of this CSRF vulnerability lies in the potential for unauthorized modification of website configurations. An attacker could leverage this to add malicious websites, alter existing settings to redirect traffic or inject malicious code, or even delete legitimate websites. Successful exploitation could lead to a complete compromise of the WordPress site's functionality and data integrity. The attack vector relies on social engineering – tricking an administrator into clicking a malicious link or visiting a crafted page. While requiring user interaction, the ease of crafting such attacks makes this a significant risk.
This vulnerability was publicly disclosed on 2025-11-25. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's functionality, it is reasonable to expect that attackers may begin targeting vulnerable installations.
WordPress websites utilizing the Peer Publish plugin, particularly those with shared hosting environments or where administrator accounts are not adequately secured, are at heightened risk. Sites with less stringent URL filtering and those where administrators are prone to clicking on suspicious links are also more vulnerable.
• wordpress / composer / npm:
grep -r 'Peer Publish' /var/www/html/wp-content/plugins/
wp plugin list --status=all | grep 'Peer Publish'• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=peer_publish_add_websitedisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Until then, consider implementing temporary workarounds. Restrict administrator access to only essential tasks and implement strict URL filtering to prevent access to potentially malicious sites. Employ a Web Application Firewall (WAF) with CSRF protection rules to block forged requests. Regularly review website configurations for any unauthorized changes. After upgrading, confirm the fix by attempting a CSRF attack on the website management pages and verifying that the request is blocked.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability im Detail und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12587 is a Cross-Site Request Forgery (CSRF) vulnerability in the Peer Publish WordPress plugin, allowing attackers to manipulate website configurations via forged requests.
You are affected if you are using Peer Publish WordPress plugin versions 1.0.0–1.0 and have not upgraded to a patched version.
Upgrade to a patched version of the Peer Publish plugin as soon as it becomes available. Implement temporary workarounds like URL filtering and WAF rules until the upgrade.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for future attacks.
Check the Peer Publish plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-12587.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.