Platform
wordpress
Component
thesis-openhook
Fixed in
4.3.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the OpenHook WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account without their knowledge. The vulnerability impacts versions from 0.0.0 up to and including 4.3.1. A patch is expected to be released by the vendor.
The CSRF vulnerability in OpenHook allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify plugin settings, create or delete content, or perform other actions as if they were the authenticated user. The potential impact depends on the permissions granted to the affected user account. This could lead to data modification, unauthorized access, or even complete control over the WordPress site if the user has administrative privileges. The attack surface is broad, as any user of the plugin is potentially vulnerable.
The vulnerability was publicly disclosed on 2025-12-31. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The medium CVSS score indicates a moderate risk of exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62120 is to upgrade to a patched version of the OpenHook plugin as soon as it becomes available. Until a patch is released, consider implementing additional security measures. These include restricting access to sensitive plugin settings through role-based access control within WordPress. Implementing a Content Security Policy (CSP) can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. Web Application Firewalls (WAFs) configured to detect and block CSRF attacks can provide an additional layer of defense.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62120 describes a Cross-Site Request Forgery (CSRF) vulnerability in the OpenHook WordPress plugin, allowing attackers to perform unauthorized actions. It affects versions 0.0.0 through 4.3.1.
You are affected if your WordPress site uses the OpenHook plugin and you are running a version between 0.0.0 and 4.3.1. Check your plugin version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the OpenHook plugin. Monitor the vendor's website or WordPress plugin repository for updates.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-62120, but the vulnerability is publicly known and could be targeted.
Check the official OpenHook plugin page on the WordPress plugin repository or the vendor's website for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.