Plattform
wordpress
Komponente
rencontre
Behoben in
3.13.8
CVE-2025-67534 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Rencontre WordPress plugin. This flaw can be exploited to trigger Stored XSS attacks, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions from 0.0.0 up to and including 3.13.7, with a fix available in version 3.13.8.
The CSRF vulnerability in Rencontre allows an attacker to craft malicious requests that appear to originate from a legitimate user. Successfully exploiting this vulnerability enables the attacker to inject malicious scripts, specifically leading to Stored XSS. This means the attacker can store malicious code within the plugin's data, which will then be executed whenever a user views a page containing the injected script. The impact can range from session hijacking and account takeover to defacement of the website and redirection to malicious sites. The stored nature of the XSS makes it particularly persistent and difficult to detect, as the malicious code remains embedded within the plugin's data.
CVE-2025-67534 was publicly disclosed on 2025-12-09. The vulnerability's severity is rated as High (CVSS 7.1). Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of this writing. Active exploitation is not yet confirmed, but the availability of the vulnerability and the potential for Stored XSS warrant immediate attention.
WordPress websites utilizing the Rencontre plugin, particularly those with user roles that have administrative privileges, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r 'rencontre/plugin.php' /var/www/html/
wp plugin list | grep rencontre• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/rencontre/plugin.php | grep -i '3.13.7'disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-67534 is to immediately upgrade the Rencontre WordPress plugin to version 3.13.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out suspicious requests containing CSRF tokens. Additionally, carefully review and sanitize all user inputs to prevent the injection of malicious code. Monitor WordPress logs for unusual activity, particularly requests originating from unfamiliar IP addresses. After upgrading, confirm the fix by attempting a CSRF attack using a known payload and verifying that the attack is blocked.
Aktualisieren Sie auf Version 3.13.8 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67534 is a Cross-Site Request Forgery (CSRF) vulnerability in the Rencontre WordPress plugin allowing Stored XSS. It affects versions 0.0.0–3.13.7.
You are affected if your WordPress site uses the Rencontre plugin and is running version 3.13.7 or earlier. Upgrade to 3.13.8 to resolve the issue.
Upgrade the Rencontre WordPress plugin to version 3.13.8 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the vulnerability's potential impact warrants immediate attention and remediation.
Refer to the official Rencontre plugin documentation and WordPress security announcements for the latest advisory and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.