Top Friends <= 0.3 - Cross-Site Request Forgery to Settings Update

An attacker can exploit this XSRF vulnerability by crafting a malicious request that appears to originate from a legitimate user. If a site administrator clicks on this crafted link, the attacker can execute arbitrary actions within the Top Friends plugin, such as modifying settings or potentially gaining unauthorized access to sensitive data. The blast radius is limited to the plugin's functionality, but successful exploitation could lead to configuration changes impacting site functionality or user experience. This vulnerability highlights the importance of proper nonce validation in WordPress plugins to prevent unauthorized modifications.

WordPress websites using the Top Friends plugin, particularly those with site administrators who are susceptible to social engineering attacks. Shared hosting environments where plugin updates are managed centrally are also at increased risk.

• wordpress / composer / npm:

grep -r 'top_friends_options_subpanel' /var/www/html/wp-content/plugins/

• generic web:

curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=top-friends-settings | grep -i 'top_friends_options_subpanel'

1. 2025-11-18Disclosure

   disclosure

1. Reserviert2025-11-06
2. Veröffentlicht2025-11-18
3. Geändert2026-04-08
4. EPSS aktualisiert2026-03-23

The primary mitigation for CVE-2025-12827 is to upgrade the Top Friends plugin to a version that includes the necessary nonce validation fixes. As a temporary workaround, consider implementing stricter access controls for plugin settings, limiting who can modify them. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the topfriendsoptions_subpanel() function. Regularly review WordPress plugin configurations and user permissions to identify and address potential vulnerabilities.