Platform
wordpress
Component
onestore-sites
Fixed in
0.1.2
CVE-2025-25107 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the sainwp OneStore Sites WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they did not intend, potentially compromising their accounts or data. The vulnerability affects versions from 0.0.0 through 0.1.1, and a fix is available in version 0.1.2.
A successful CSRF attack against OneStore Sites could allow an attacker to modify site configurations, add or delete products, or even gain administrative access if the user possesses sufficient privileges. The attacker would need to craft a malicious request and lure the victim into clicking a link or visiting a compromised page. This could be achieved through phishing emails, malicious websites, or even compromised advertisements. The potential blast radius extends to all authenticated users of the plugin, making it a significant risk for WordPress sites utilizing OneStore Sites.
CVE-2025-25107 was publicly disclosed on 2025-02-07. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the ease of CSRF exploitation, it is likely to be assessed as medium to high probability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-25107 is to immediately upgrade the OneStore Sites plugin to version 0.1.2 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing a Content Security Policy (CSP) to restrict the sources from which the browser can load resources. Additionally, implementing CSRF tokens on all sensitive actions within the plugin can provide an extra layer of protection. After upgrading, verify the fix by attempting to trigger a sensitive action (e.g., adding a product) from a different browser session without being logged in.
Update the OneStore Sites plugin to the latest available version to mitigate the Cross-Site Request Forgery (CSRF) vulnerability. Check the plugin page on WordPress.org for the latest version and update instructions. Implement additional security measures, such as input validation and output encoding, to prevent future CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25107 is a critical Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–0.1.1 of the sainwp OneStore Sites WordPress plugin, allowing attackers to perform unauthorized actions.
If you are using OneStore Sites WordPress plugin versions 0.0.0 through 0.1.1, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the OneStore Sites plugin to version 0.1.2 or later to resolve the vulnerability. If upgrading is not possible, consider implementing CSP or CSRF tokens as temporary mitigations.
As of now, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate attention and mitigation.
Refer to the sainwp website or WordPress plugin repository for the official advisory and release notes regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.