Platform
wordpress
Component
ctl-arcade-lite
Fixed in
1.0.1
CVE-2025-11886 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the CTL Arcade Lite plugin for WordPress. This flaw allows unauthenticated attackers to potentially manipulate plugin settings, such as deactivating or activating plugins, by crafting malicious requests. The vulnerability impacts versions 1.0.0 through 1.0 of the plugin. A fix is expected in a future release.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized plugin management. An attacker could craft a malicious link or embed a hidden form that, when visited or submitted by a site administrator, would trigger actions on the WordPress site without the administrator's explicit consent. This could lead to the deactivation of critical plugins, disrupting site functionality, or the activation of malicious plugins that could compromise the entire WordPress installation. The blast radius extends to any site utilizing the vulnerable CTL Arcade Lite plugin, particularly those with administrative access that could be targeted.
CVE-2025-11886 is not currently listed on KEV. The EPSS score is likely low, given the requirement for administrator interaction. Public proof-of-concept exploits are not currently known. The vulnerability was publicly disclosed on 2025-11-11. There are no indications of active exploitation campaigns at this time.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-11886 is to upgrade to a patched version of the CTL Arcade Lite plugin as soon as it becomes available. Until a patch is released, consider implementing stricter access controls and user awareness training to minimize the risk of successful CSRF attacks. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of protection. Monitor WordPress plugin activity logs for suspicious requests. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack via a known vulnerable endpoint and verifying that the request is blocked or fails.
Update the CTL Arcade Lite plugin to the latest available version to mitigate the Cross-Site Request Forgery (CSRF) vulnerability. Ensure that all site administrators are aware of this update and apply it as soon as possible to protect the site from potential attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11886 is a Cross-Site Request Forgery (CSRF) vulnerability in the CTL Arcade Lite WordPress plugin, allowing attackers to manipulate plugin settings without explicit admin consent.
You are affected if your WordPress site uses CTL Arcade Lite plugin versions 1.0.0–1.0. Upgrade to a patched version as soon as it's available.
Upgrade to the latest version of the CTL Arcade Lite plugin once a patch is released. Until then, implement WAF rules and user awareness training.
There are currently no indications of active exploitation campaigns for CVE-2025-11886.
Check the CTL Arcade Lite plugin's official website or WordPress plugin repository for updates and security advisories related to CVE-2025-11886.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.