Platform
wordpress
Component
ark-relatedpost
Fixed in
2.20
CVE-2025-13684 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the ARK Related Posts plugin for WordPress. This flaw allows unauthenticated attackers to manipulate the plugin's configuration settings if they can trick a site administrator into performing a malicious action. The vulnerability impacts versions 0.0.0 through 2.19, and a fix is available in version 2.20.
The primary impact of this CSRF vulnerability is the potential for unauthorized modification of the ARK Related Posts plugin's settings. An attacker could leverage this to alter how related posts are displayed, potentially injecting malicious content or redirecting users. While the plugin itself might not contain sensitive data, changes to its configuration could impact the overall site experience and potentially be used as a stepping stone for further attacks. Successful exploitation requires the attacker to convince a site administrator to click a malicious link, making social engineering a key component of the attack. This vulnerability is similar in nature to other CSRF flaws, where an attacker leverages a user's authenticated session to perform actions on their behalf.
This vulnerability was publicly disclosed on 2025-12-05. There is currently no indication of active exploitation campaigns targeting this specific flaw. No Proof-of-Concept (PoC) code has been publicly released. The vulnerability has not been added to the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-13684 is to immediately upgrade the ARK Related Posts plugin to version 2.20 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests to the arkrpoptions_page endpoint that lack proper nonce validation. Additionally, educate site administrators about the risks of clicking on suspicious links and verify the legitimacy of any requests before confirming them. Regularly review plugin configurations for any unauthorized changes.
Update to version 2.20, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13684 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–2.19 of the ARK Related Posts WordPress plugin, allowing attackers to modify plugin settings.
You are affected if your WordPress site uses the ARK Related Posts plugin in versions 0.0.0 through 2.19. Upgrade to 2.20 or later to resolve the issue.
Upgrade the ARK Related Posts plugin to version 2.20 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-13684.
Refer to the ARK Related Posts plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.