Plattform
wordpress
Komponente
xshare
Behoben in
1.0.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in the xShare plugin for WordPress, affecting versions 1.0.0 through 1.0.1. This flaw allows unauthenticated attackers to potentially reset the plugin’s settings by tricking a site administrator into performing an action, such as clicking a malicious link. The vulnerability stems from a lack of nonce validation within the 'xsharepluginreset()' function. A fix is expected in a future release.
Successful exploitation of this CSRF vulnerability could allow an attacker to modify the xShare plugin's configuration without authentication. This could lead to unintended changes in plugin behavior, potentially impacting website functionality or exposing sensitive data managed by the plugin. While the attacker needs to trick an administrator into performing the action, the potential impact is significant, as it could compromise the integrity of the website and its data. The ease of exploitation, requiring only social engineering, increases the risk.
This vulnerability was publicly disclosed on 2026-01-07. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is considered low to medium.
WordPress websites utilizing the xShare plugin, particularly those with shared hosting environments or legacy configurations where user access controls may be less stringent, are at increased risk. Site administrators who routinely click on links from untrusted sources are also more vulnerable.
• wordpress / composer / npm:
grep -r 'xshare_plugin_reset()' /var/www/html/wp-content/plugins/xshare/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=xshare_plugin_reset&nonce=dummy | grep -i '200 ok'disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
Currently, there is no official patch available for CVE-2025-13527. As a temporary workaround, consider restricting access to the plugin's settings page to authorized administrators only. Implement strict user access controls and educate administrators about the risks of clicking on suspicious links. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can also provide a layer of protection. Monitor plugin activity for any unauthorized changes. After a patch is released, upgrade to the fixed version immediately and confirm the reset functionality requires authentication.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13527 is a Cross-Site Request Forgery (CSRF) vulnerability in the xShare WordPress plugin versions 1.0.0–1.0.1, allowing attackers to potentially reset plugin settings via forged requests.
If you are using the xShare WordPress plugin in versions 1.0.0 or 1.0.1, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
Currently, there is no official patch. As a workaround, restrict access to the plugin’s settings page and educate administrators about phishing risks. Upgrade when a patch is released.
There is no confirmed active exploitation of CVE-2025-13527 at this time, but the risk remains until a patch is applied.
Refer to the xShare plugin developer's website or WordPress plugin repository for updates and official advisories regarding CVE-2025-13527.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.