Plattform
wordpress
Komponente
wp-change-status-notifier
Behoben in
1.0.1
CVE-2025-13521 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Status Notifier plugin for WordPress. This flaw allows unauthenticated attackers to modify plugin settings by tricking administrators into performing actions. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending release from the plugin developer.
An attacker exploiting this CSRF vulnerability could potentially alter the configuration of the WP Status Notifier plugin without authentication. This could involve changing notification settings, API keys, or other sensitive parameters. Depending on the plugin's functionality, this could lead to unauthorized access to data, modification of site behavior, or even denial of service. The impact is amplified if the plugin interacts with external services or APIs, as an attacker could potentially leverage the compromised plugin to launch attacks against those services. While the plugin itself might not be directly exploitable for broader system compromise, it represents a significant risk to WordPress site integrity and data security.
CVE-2025-13521 was publicly disclosed on 2026-01-07. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is rated as Medium. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation via CSRF makes it a potential target for opportunistic attackers.
WordPress websites utilizing the WP Status Notifier plugin, particularly those with multiple administrators or shared hosting environments, are at increased risk. Sites where administrators frequently click on links from untrusted sources are also more vulnerable. Legacy WordPress installations with outdated security practices are especially susceptible.
• wordpress / composer / npm:
grep -r 'wp_status_notifier_settings_update' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-status-notifier'• wordpress / composer / npm:
wp plugin auto-update --alldisclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13521 is to upgrade to a patched version of the WP Status Notifier plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Restrict access to the plugin's settings page using WordPress's role-based access control features, limiting access to administrators only. Carefully review any links or URLs before clicking, especially those received via email or from untrusted sources. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly monitor WordPress logs for suspicious activity related to the plugin.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Vulnerability eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13521 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Status Notifier plugin for WordPress versions 1.0.0–1.0, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the WP Status Notifier plugin in versions 1.0.0 through 1.0. Check your plugin versions and upgrade as soon as a patch is available.
Upgrade to the latest version of the WP Status Notifier plugin once a patch is released. Until then, restrict access to plugin settings and carefully review links.
Active exploitation is not currently confirmed, but the vulnerability's nature makes it a potential target for attackers.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories related to CVE-2025-13521.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.