Platform
wordpress
Component
munk-sites
Fixed in
1.0.8
CVE-2025-25101 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the MetricThemes Munk Sites WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications or deletions of site content. The vulnerability impacts versions 0.0.0 through 1.0.7, and a patch is available in version 1.0.8.
A successful CSRF attack on Munk Sites could allow an attacker to modify site settings, delete content, or even install malicious plugins without the user's knowledge. This is particularly concerning for sites with sensitive data or critical functionality. The attacker would need to craft a malicious request and entice the user to click a link or visit a compromised page. The impact is amplified if the site administrator has access to sensitive areas of the plugin, as an attacker could leverage this to gain full control of the WordPress site. This vulnerability highlights the importance of proper CSRF protection in WordPress plugins, as it can be a gateway for more severe attacks.
CVE-2025-25101 was publicly disclosed on 2025-02-07. No public proof-of-concept (POC) code has been released at the time of writing, but the CSRF nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and the widespread use of WordPress. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.74% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-25101 is to immediately upgrade the Munk Sites plugin to version 1.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, ensure that users are educated about the risks of clicking suspicious links and visiting untrusted websites. Verify the upgrade by attempting to perform an action as a logged-in user and confirming that the action requires explicit confirmation or is protected by a CSRF token.
Update the Munk Sites plugin to the latest available version to mitigate the CSRF vulnerability. This update addresses the possibility of an attacker performing unauthorized actions on your WordPress website through forged requests. Ensure you back up your site before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25101 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–1.0.7 of the MetricThemes Munk Sites WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using the Munk Sites plugin in versions 0.0.0 through 1.0.7. Upgrade to 1.0.8 or later to mitigate the risk.
Upgrade the Munk Sites plugin to version 1.0.8 or later. If upgrading is not possible, implement a WAF with CSRF protection rules.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation. Monitor your site closely.
Refer to the MetricThemes website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.