Plattform
wordpress
Komponente
thesis-openhook
Behoben in
4.3.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the OpenHook WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 4.3.1. A patch is expected to be released by the vendor.
The CSRF vulnerability in OpenHook allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify plugin settings, create or delete content, or perform other actions as if they were the authenticated user. The potential impact depends on the permissions granted to the affected user account. This could lead to data modification, unauthorized access, or even complete control over the WordPress site if the user has administrative privileges. The attack surface is broad, as any user of the plugin is potentially vulnerable.
The vulnerability was publicly disclosed on 2025-12-31. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk of exploitation.
Websites using the OpenHook WordPress plugin, particularly those with users who have administrative or editor roles, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider may also be vulnerable if updates are not applied promptly.
• wordpress / composer / npm:
grep -r 'openhook_save_options' /var/www/html/wp-content/plugins/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=openhook_save_options | grep -i 'referer:'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62120 is to upgrade to a patched version of the OpenHook plugin as soon as it becomes available. Until a patch is released, consider implementing additional security measures. These include restricting access to sensitive plugin settings through role-based access control within WordPress. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62120 describes a Cross-Site Request Forgery (CSRF) vulnerability in the OpenHook WordPress plugin, allowing attackers to perform unauthorized actions. It affects versions 0.0.0 through 4.3.1.
You are affected if your WordPress site uses the OpenHook plugin and you are running a version between 0.0.0 and 4.3.1. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the OpenHook plugin. Monitor the vendor's website or WordPress plugin repository for updates.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-62120, but the vulnerability is publicly known and could be targeted.
Check the official OpenHook plugin page on the WordPress plugin repository or the vendor's website for the latest advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.