Platform
wordpress
Component
authorsure
Fixed in
2.4
CVE-2025-13134 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the AuthorSure plugin for WordPress. This flaw allows unauthenticated attackers to manipulate settings and inject malicious web scripts if they can trick a site administrator into performing an action. The vulnerability impacts versions 0.0.0 through 2.3 of the plugin, and a fix is available in version 2.4.
The primary impact of CVE-2025-13134 is the potential for attackers to inject malicious scripts into a WordPress website. By leveraging CSRF, an attacker can craft a forged request that, when executed by a logged-in administrator, will modify AuthorSure plugin settings. This could involve injecting arbitrary JavaScript code, leading to session hijacking, defacement of the website, or redirection to malicious sites. The blast radius extends to any user visiting the compromised website, as they could be exposed to the injected scripts. Successful exploitation requires social engineering to convince an administrator to click a malicious link or visit a crafted page.
CVE-2025-13134 was publicly disclosed on 2025-11-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog. The relatively low CVSS score suggests a moderate probability of exploitation, but the ease of exploitation could increase this risk.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2025-13134 is to immediately upgrade the AuthorSure plugin to version 2.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the 'authorsure' page that lack proper nonce validation. Additionally, educate administrators about the risks of clicking on suspicious links and performing actions without verifying their authenticity. Regularly review WordPress user permissions to ensure only necessary users have administrative access.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13134 is a Cross-Site Request Forgery (CSRF) vulnerability in the AuthorSure WordPress plugin, allowing attackers to manipulate settings and inject scripts if they can trick an administrator.
You are affected if you are using AuthorSure plugin versions 0.0.0 through 2.3. Upgrade to 2.4 or later to mitigate the risk.
Upgrade the AuthorSure plugin to version 2.4 or later. As a temporary workaround, implement a WAF rule to block requests lacking proper nonce validation.
While no public exploits are currently known, the vulnerability's nature makes it relatively easy to exploit, increasing the risk of exploitation.
Refer to the AuthorSure plugin documentation and WordPress security announcements for the official advisory regarding CVE-2025-13134.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.