Platform
wordpress
Component
contentstudio
Fixed in
1.3.8
CVE-2025-13144 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ContentStudio WordPress plugin. This flaw allows unauthenticated attackers to potentially modify plugin settings if they can trick a site administrator into performing an action, such as clicking a malicious link. The vulnerability impacts versions 1.0.0 through 1.3.7, and a patch is available in version 1.4.0.
Successful exploitation of this CSRF vulnerability could allow an attacker to alter the ContentStudio plugin's configuration without authentication. This could lead to unintended changes in plugin behavior, potentially impacting website functionality or exposing sensitive data. An attacker could, for example, modify API keys, change content scheduling parameters, or disable security features. The blast radius is limited to the scope of the ContentStudio plugin's settings, but unauthorized modifications could still disrupt website operations and compromise data integrity.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the plugin's popularity, it is plausible that attackers may develop and deploy PoCs or exploit kits in the future.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13144 is to upgrade the ContentStudio plugin to version 1.4.0 or later, which contains the necessary nonce validation fixes. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block suspicious requests targeting the addcstusettings function. Carefully review any unusual plugin settings changes and monitor plugin activity for unauthorized modifications. While not a direct fix, enforcing strong password policies and multi-factor authentication for WordPress administrator accounts can reduce the risk of successful CSRF attacks.
Update to version 1.4.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13144 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the ContentStudio WordPress plugin, allowing attackers to modify plugin settings via forged requests.
You are affected if you are using ContentStudio WordPress plugin versions 1.0.0 through 1.3.7. Upgrade to version 1.4.0 or later to mitigate the vulnerability.
Upgrade the ContentStudio plugin to version 1.4.0 or later. Consider implementing WAF rules as a temporary workaround if upgrading is not immediately possible.
There is no confirmed active exploitation of CVE-2025-13144 at this time, but the vulnerability's nature makes it a potential target for future attacks.
Refer to the ContentStudio plugin's official website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-13144.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.