Platform
wordpress
Component
wp-change-status-notifier
Fixed in
1.0.1
CVE-2025-13521 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Status Notifier plugin for WordPress. This flaw allows unauthenticated attackers to modify plugin settings by tricking administrators into performing actions. The vulnerability impacts versions 1.0.0 through 1.0, and a fix is pending release from the plugin developer.
An attacker exploiting this CSRF vulnerability could potentially alter the configuration of the WP Status Notifier plugin without authentication. This could involve changing notification settings, API keys, or other sensitive parameters. Depending on the plugin's functionality, this could lead to unauthorized access to data, modification of site behavior, or even denial of service. The impact is amplified if the plugin interacts with external services or APIs, as an attacker could potentially leverage the compromised plugin to launch attacks against those services. While the plugin itself might not be directly exploitable for broader system compromise, it represents a significant risk to WordPress site integrity and data security.
CVE-2025-13521 was publicly disclosed on 2026-01-07. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is rated as Medium. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation via CSRF makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13521 is to upgrade to a patched version of the WP Status Notifier plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. Restrict access to the plugin's settings page using WordPress's role-based access control features, limiting access to administrators only. Carefully review any links or URLs before clicking, especially those received via email or from untrusted sources. Implement a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Regularly monitor WordPress logs for suspicious activity related to the plugin.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13521 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Status Notifier plugin for WordPress versions 1.0.0–1.0, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the WP Status Notifier plugin in versions 1.0.0 through 1.0. Check your plugin versions and upgrade as soon as a patch is available.
Upgrade to the latest version of the WP Status Notifier plugin once a patch is released. Until then, restrict access to plugin settings and carefully review links.
Active exploitation is not currently confirmed, but the vulnerability's nature makes it a potential target for attackers.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories related to CVE-2025-13521.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.