Plattform
wordpress
Komponente
cww-companion
Behoben in
1.3.3
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the CWW Companion WordPress plugin. This flaw allows attackers to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability affects versions from 0.0.0 up to and including 1.3.2. A patch has been released in version 1.3.3.
The CSRF vulnerability in CWW Companion allows an attacker to craft malicious requests that appear to originate from a legitimate user. By tricking a user into clicking a crafted link or visiting a compromised website, an attacker could potentially modify settings, create or delete content, or perform other actions as if they were the authenticated user. The impact is amplified if the plugin has administrative privileges, potentially granting the attacker full control over the WordPress site. This could lead to data breaches, website defacement, or even complete compromise of the server.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been identified at the time of writing. The CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the CWW Companion plugin, particularly those with users who have administrative privileges or handle sensitive data, are at risk. Shared hosting environments where plugin updates are managed centrally should prioritize patching to prevent widespread compromise.
• wordpress / composer / npm:
grep -r 'cww-companion/includes/functions.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep cww-companion• wordpress / composer / npm:
wp plugin update cww-companion --alldisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the CWW Companion plugin to version 1.3.3 or later, which contains the fix. If upgrading immediately is not possible, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, carefully review and validate all user inputs to prevent unexpected actions. Consider implementing stricter access controls and user permissions to limit the potential damage from a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack and verifying it is blocked.
Update to version 1.3.3, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67473 describes a Cross-Site Request Forgery (CSRF) vulnerability in the CWW Companion WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using CWW Companion versions 0.0.0 through 1.3.2. Upgrade to 1.3.3 to mitigate the risk.
Upgrade the CWW Companion plugin to version 1.3.3 or later. Implement WAF rules as a temporary workaround if immediate upgrade isn't possible.
No active exploitation has been confirmed at this time, but the vulnerability is publicly known and could be targeted.
Check the codeworkweb website and WordPress plugin repository for the official advisory and release notes related to version 1.3.3.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.