WordPress OneStore Sites plugin <= 0.1.1 - CSRF to Arbitrary Plugin Installation vulnerability

A successful CSRF attack against OneStore Sites could allow an attacker to modify site configurations, add or delete products, or even gain administrative access if the user possesses sufficient privileges. The attacker would need to craft a malicious request and lure the victim into clicking a link or visiting a compromised page. This could be achieved through phishing emails, malicious websites, or even compromised advertisements. The potential blast radius extends to all authenticated users of the plugin, making it a significant risk for WordPress sites utilizing OneStore Sites.

WordPress sites using the sainwp OneStore Sites plugin, particularly those with user roles that have administrative privileges or access to sensitive data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.

• wordpress / composer / npm:

grep -r 'sainwp OneStore Sites' /var/www/html/
wp plugin list

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/onestore-sites/ | grep -i 'onestore-sites'

1. 2025-02-07Disclosure

   disclosure

1. Reserviert2025-02-03
2. Veröffentlicht2025-02-07
3. Geändert2026-04-28
4. EPSS aktualisiert2026-04-02

The primary mitigation for CVE-2025-25107 is to immediately upgrade the OneStore Sites plugin to version 0.1.2 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, implementing CSRF tokens on all sensitive actions within the plugin can provide an extra layer of protection. After upgrading, verify the fix by attempting to trigger a sensitive action (e.g., adding a product) from a different browser session without being logged in.