Scan free
MEDIUMCVE-2025-67473CVSS 4.3

CVE-2025-67473: CSRF in CWW Companion WordPress Plugin

Platform

wordpress

Component

cww-companion

Fixed in

1.3.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the CWW Companion WordPress plugin. This flaw allows attackers to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability affects versions from 0.0.0 up to and including 1.3.2. A patch has been released in version 1.3.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The CSRF vulnerability in CWW Companion allows an attacker to craft malicious requests that appear to originate from a legitimate user. By tricking a user into clicking a crafted link or visiting a compromised website, an attacker could potentially modify settings, create or delete content, or perform other actions as if they were the authenticated user. The impact is amplified if the plugin has administrative privileges, potentially granting the attacker full control over the WordPress site. This could lead to data breaches, website defacement, or even complete compromise of the server.

Exploitation Context

This vulnerability was publicly disclosed on 2025-12-09. No public proof-of-concept (POC) code has been identified at the time of writing. The CVSS score of 4.3 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (6% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentcww-companion
Vendorwordfence
Affected rangeFixed in
0.0.0 – 1.3.21.3.3

Package Information

Active installs
1KNiche
Plugin rating
0.0
Requires WordPress
3.0.1+
Compatible up to
6.9.4
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to upgrade the CWW Companion plugin to version 1.3.3 or later, which contains the fix. If upgrading immediately is not possible, implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, carefully review and validate all user inputs to prevent unexpected actions. Consider implementing stricter access controls and user permissions to limit the potential damage from a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack and verifying it is blocked.

How to fix

Update to version 1.3.3, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-67473 — CSRF in CWW Companion?

CVE-2025-67473 describes a Cross-Site Request Forgery (CSRF) vulnerability in the CWW Companion WordPress plugin, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-67473 in CWW Companion?

You are affected if you are using CWW Companion versions 0.0.0 through 1.3.2. Upgrade to 1.3.3 to mitigate the risk.

How do I fix CVE-2025-67473 in CWW Companion?

Upgrade the CWW Companion plugin to version 1.3.3 or later. Implement WAF rules as a temporary workaround if immediate upgrade isn't possible.

Is CVE-2025-67473 being actively exploited?

No active exploitation has been confirmed at this time, but the vulnerability is publicly known and could be targeted.

Where can I find the official CWW Companion advisory for CVE-2025-67473?

Check the codeworkweb website and WordPress plugin repository for the official advisory and release notes related to version 1.3.3.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs