Plattform
wordpress
Komponente
user-profile-meta
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the User Profile Meta Manager plugin for WordPress. This flaw allows an attacker to potentially escalate privileges by tricking a user into performing actions they did not intend. The vulnerability affects versions from 0.0.0 up to and including 1.02. A fix is available via plugin update.
The CSRF vulnerability in User Profile Meta Manager allows an attacker to execute arbitrary actions on behalf of an authenticated user. This could include modifying user profiles, changing settings, or performing other administrative tasks, depending on the plugin's functionality and user permissions. Successful exploitation could lead to unauthorized data modification, account compromise, and potentially complete control over the affected WordPress site. The CRITICAL CVSS score reflects the high likelihood of exploitation and significant impact.
As of the publication date (2025-05-19), there is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates.
WordPress sites utilizing the User Profile Meta Manager plugin, particularly those with users having elevated privileges (e.g., administrators, editors). Shared hosting environments are at increased risk, as vulnerabilities in plugins can impact multiple websites hosted on the same server.
• wordpress / composer / npm:
grep -r 'user_profile_meta' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-post.php?action=user_profile_meta_update&... # Check for lack of CSRF tokensdisclosure
Exploit-Status
EPSS
0.14% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48340 is to immediately update the User Profile Meta Manager plugin to the latest available version. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. Implementing strict Content Security Policy (CSP) headers can also help mitigate CSRF attacks by restricting the sources from which scripts can be executed. Regularly review user permissions and implement multi-factor authentication (MFA) to further reduce the risk of unauthorized access.
Aktualisieren Sie das User Profile Meta Manager Plugin auf die neueste verfügbare Version, um die CSRF-Schwachstelle zu beheben, die eine Privilege Escalation ermöglicht. Überprüfen Sie die Plugin-Seite auf wordpress.org auf die neueste Version und die Update-Anweisungen. Implementieren Sie zusätzliche Sicherheitsmaßnahmen, wie z. B. Eingabevalidierung und Ausgabekodierung, um zukünftige CSRF-Angriffe zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48340 is a critical Cross-Site Request Forgery (CSRF) vulnerability in the User Profile Meta Manager plugin for WordPress, allowing attackers to potentially escalate privileges.
You are affected if your WordPress site uses the User Profile Meta Manager plugin in versions 0.0.0 through 1.02. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and CSRF tokens.
While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high potential for exploitation.
Check the plugin developer's website and WordPress plugin repository for updates and security advisories related to CVE-2025-48340.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.