Plattform
wordpress
Komponente
authorsure
Behoben in
2.4
CVE-2025-13134 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the AuthorSure plugin for WordPress. This flaw allows unauthenticated attackers to manipulate settings and inject malicious web scripts if they can trick a site administrator into performing an action. The vulnerability impacts versions 0.0.0 through 2.3 of the plugin, and a fix is available in version 2.4.
The primary impact of CVE-2025-13134 is the potential for attackers to inject malicious scripts into a WordPress website. By leveraging CSRF, an attacker can craft a forged request that, when executed by a logged-in administrator, will modify AuthorSure plugin settings. This could involve injecting arbitrary JavaScript code, leading to session hijacking, defacement of the website, or redirection to malicious sites. The blast radius extends to any user visiting the compromised website, as they could be exposed to the injected scripts. Successful exploitation requires social engineering to convince an administrator to click a malicious link or visit a crafted page.
CVE-2025-13134 was publicly disclosed on 2025-11-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog. The relatively low CVSS score suggests a moderate probability of exploitation, but the ease of exploitation could increase this risk.
WordPress websites utilizing the AuthorSure plugin, particularly those with shared hosting environments where multiple websites share the same server infrastructure, are at increased risk. Websites with less stringent administrator training or security practices are also more vulnerable to social engineering attacks.
• wordpress / plugin: Use wp-cli to check the installed version of AuthorSure:
wp plugin list --status=active | grep AuthorSure• wordpress / plugin: Examine the authorsure plugin files for missing or incorrect nonce validation. Search for instances where user input is directly used in HTTP requests without proper verification.
• generic web: Monitor access logs for suspicious requests targeting the authorsure page, particularly those originating from unusual IP addresses or user agents.
• generic web: Check response headers for unexpected JavaScript code or redirects.
disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The most effective mitigation for CVE-2025-13134 is to immediately upgrade the AuthorSure plugin to version 2.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the 'authorsure' page that lack proper nonce validation. Additionally, educate administrators about the risks of clicking on suspicious links and performing actions without verifying their authenticity. Regularly review WordPress user permissions to ensure only necessary users have administrative access.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13134 is a Cross-Site Request Forgery (CSRF) vulnerability in the AuthorSure WordPress plugin, allowing attackers to manipulate settings and inject scripts if they can trick an administrator.
You are affected if you are using AuthorSure plugin versions 0.0.0 through 2.3. Upgrade to 2.4 or later to mitigate the risk.
Upgrade the AuthorSure plugin to version 2.4 or later. As a temporary workaround, implement a WAF rule to block requests lacking proper nonce validation.
While no public exploits are currently known, the vulnerability's nature makes it relatively easy to exploit, increasing the risk of exploitation.
Refer to the AuthorSure plugin documentation and WordPress security announcements for the official advisory regarding CVE-2025-13134.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.