Platform
wordpress
Component
user-profile-meta
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the User Profile Meta Manager plugin for WordPress. This flaw allows an attacker to potentially escalate privileges within a user's profile, leading to unauthorized modifications. The vulnerability impacts versions from 0.0.0 up to and including 1.02. A fix is expected from the plugin developer.
The CSRF vulnerability in User Profile Meta Manager allows an attacker to craft malicious requests that appear to originate from a legitimate user. By tricking a user into visiting a specially crafted link or page, an attacker can execute actions on their behalf, such as modifying user profile settings, changing roles, or performing other administrative tasks. The impact is significant, as successful exploitation can lead to unauthorized access and control over user accounts and potentially the entire WordPress site, depending on the user's privileges. This is particularly concerning if the affected user has administrative rights.
This vulnerability has been publicly disclosed. While no active exploitation campaigns have been confirmed, the CRITICAL CVSS score indicates a high potential for exploitation. The lack of a fixed version necessitates immediate attention. Monitor security forums and threat intelligence feeds for any signs of exploitation. No KEV listing at the time of writing.
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the User Profile Meta Manager plugin as soon as it becomes available. Until then, implement strict input validation on all user profile modification endpoints to prevent malicious data from being processed. Consider implementing CSRF tokens on all sensitive actions within the plugin to ensure that requests are genuinely originating from the user. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF attempts by analyzing request patterns and referrer headers. Regularly review user permissions and access controls to minimize the potential impact of a successful attack.
Update the User Profile Meta Manager plugin to the latest available version to mitigate the CSRF vulnerability that allows privilege escalation. Check the plugin page on wordpress.org for the latest version and update instructions. Implement additional security measures, such as input validation and output encoding, to prevent future CSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48340 is a critical Cross-Site Request Forgery (CSRF) vulnerability in the User Profile Meta Manager plugin for WordPress, allowing attackers to potentially escalate privileges.
You are affected if your WordPress site uses the User Profile Meta Manager plugin in versions 0.0.0 through 1.02. Upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the plugin. Until then, implement input validation and CSRF tokens.
While no active exploitation campaigns have been confirmed, the CRITICAL severity suggests a high potential for exploitation.
Check the plugin developer's website and WordPress plugin repository for updates and security advisories related to CVE-2025-48340.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.