Platform
wordpress
Component
rabbit-hole
Fixed in
1.1.1
CVE-2025-13366 describes a Cross-Site Request Forgery (XSRF) vulnerability affecting the Rabbit Hole plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking administrators into performing actions, such as clicking malicious links. The vulnerability impacts versions 0.0.0 through 1.1 and can lead to unauthorized configuration changes.
The primary impact of CVE-2025-13366 is the potential for an attacker to reset the Rabbit Hole plugin's settings without authentication. This could involve altering critical configurations, disabling features, or introducing malicious code. Because the reset operation is performed via a GET request, exploitation is simplified, requiring only a crafted link or image tag to trigger the action. Successful exploitation could compromise the integrity of the WordPress site and potentially lead to further attacks if the plugin's settings control access to sensitive data or functionality.
CVE-2025-13366 was publicly disclosed on 2025-12-12. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability's ease of exploitation (GET request) suggests a potential for opportunistic attacks. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13366 is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Since no fixed version is provided, monitor the plugin developer's website for updates. As a temporary workaround, restrict access to the plugin's reset functionality using a WordPress firewall (WAF) or by implementing custom access controls. Carefully review any links or actions requested by administrators to prevent accidental exploitation.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13366 is a Cross-Site Request Forgery (XSRF) vulnerability in the Rabbit Hole WordPress plugin, allowing attackers to potentially reset plugin settings without authentication.
If you are using Rabbit Hole plugin versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it's available.
The recommended fix is to upgrade the Rabbit Hole plugin to a version that addresses the XSRF vulnerability. Monitor the plugin developer's website for updates. Implement WAF rules as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for opportunistic attacks.
Check the Rabbit Hole plugin developer's website and the WordPress plugin directory for official advisories and updates related to CVE-2025-13366.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.