Scan free
MEDIUMCVE-2025-13366CVSS 4.3

CVE-2025-13366: XSRF in Rabbit Hole WordPress Plugin

Platform

wordpress

Component

rabbit-hole

Fixed in

1.1.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-13366 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Rabbit Hole plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking administrators into performing actions, such as clicking malicious links. The vulnerability impacts versions 0.0.0 through 1.1 and can lead to unauthorized configuration changes.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The primary impact of CVE-2025-13366 is the potential for an attacker to reset the Rabbit Hole plugin's settings without authentication. This could involve altering critical configurations, disabling features, or introducing malicious code. Because the reset operation is performed via a GET request, exploitation is simplified, requiring only a crafted link or image tag to trigger the action. Successful exploitation could compromise the integrity of the WordPress site and potentially lead to further attacks if the plugin's settings control access to sensitive data or functionality.

Exploitation Context

CVE-2025-13366 was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation (GET request) suggests a potential for opportunistic attacks. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (3% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentrabbit-hole
Vendorwordfence
Affected rangeFixed in
0 – 1.11.1.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 163 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-13366 is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Since no fixed version is provided, monitor the plugin developer's website for updates. As a temporary workaround, restrict access to the plugin's reset functionality using a WordPress firewall (WAF) or by implementing custom access controls. Carefully review any links or actions requested by administrators to prevent accidental exploitation.

How to fix

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13366 — XSRF in Rabbit Hole WordPress Plugin?

CVE-2025-13366 is a Cross-Site Request Forgery (XSRF) vulnerability in the Rabbit Hole WordPress plugin, allowing attackers to potentially reset plugin settings without authentication.

Am I affected by CVE-2025-13366 in Rabbit Hole WordPress Plugin?

If you are using Rabbit Hole plugin versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.

How do I fix CVE-2025-13366 in Rabbit Hole WordPress Plugin?

The recommended fix is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Monitor the plugin developer's website for updates. Implement WAF rules as a temporary workaround.

Is CVE-2025-13366 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.

Where can I find the official Rabbit Hole advisory for CVE-2025-13366?

Check the Rabbit Hole plugin developer's website and the WordPress plugin directory for official advisories and updates related to CVE-2025-13366.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs