Plattform
wordpress
Komponente
ultimate-faqs
Behoben in
2.5.4
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Ultimate FAQ WordPress plugin. This flaw allows an attacker to potentially perform unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability affects versions from 0.0.0 through 2.4.3, and a patch is available in version 2.4.4.
The CSRF vulnerability in Ultimate FAQ allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is tricked into visiting a specially crafted URL, the attacker can execute actions on their behalf, such as modifying FAQ settings or creating new FAQs. This could lead to unauthorized changes to the website's content and potentially compromise the integrity of the site. The impact is amplified if the affected user has administrative privileges, as an attacker could then gain control over the entire WordPress installation.
This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been identified as of this writing. The CVSS score of 4.3 (Medium) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Websites utilizing the Ultimate FAQ plugin, particularly those running older versions (0.0.0–2.4.3), are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as users may not have direct control over plugin versions.
• wordpress / composer / npm:
grep -r 'ultimate-faqs/includes/class-ultimate-faq-admin.php' * | grep -i 'wp_nonce_field'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/ultimate-faq/includes/class-ultimate-faq-admin.php | grep -i 'ultimate-faqs'disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-67590 is to upgrade the Ultimate FAQ plugin to version 2.4.4 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user accounts utilize strong, unique passwords and that two-factor authentication is enabled wherever possible. Regularly review WordPress user roles and permissions to minimize the potential impact of a successful attack.
Update to version 2.4.4, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-67590 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.4.3 of the Ultimate FAQ WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the Ultimate FAQ plugin in WordPress versions 0.0.0 through 2.4.3. Check your plugin version and upgrade immediately if necessary.
Upgrade the Ultimate FAQ plugin to version 2.4.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of the current date, there is no confirmed evidence of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Rustaurius website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-67590.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.