Platform
wordpress
Component
robotstxt-rewrite
Fixed in
1.6.2
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Robots.txt rewrite WordPress plugin. This flaw allows attackers to manipulate the robots.txt file, potentially impacting website SEO and exposing sensitive information. The vulnerability affects versions from 0.0.0 through 1.6.1, and a patch is available in version 1.6.2.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to modify the robots.txt file. This file dictates which parts of a website search engine crawlers are allowed to access. By manipulating this file, an attacker could prevent search engines from indexing important pages, effectively damaging the website's SEO ranking. More critically, an attacker could inadvertently expose sensitive directories or files that should be excluded from public access, leading to data breaches. While direct data theft isn't the primary attack vector, the modified robots.txt could reveal information about the website's structure and potentially guide further attacks.
This vulnerability was publicly disclosed on 2025-12-31. There are currently no known public proof-of-concept exploits available. The CVSS score of 4.3 indicates a medium probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to immediately upgrade the Robots.txt rewrite plugin to version 1.6.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the plugin's settings page to authenticated administrators only. This can be achieved through WordPress's built-in role management capabilities. Additionally, implement a Web Application Firewall (WAF) rule to block requests with suspicious CSRF tokens targeting the plugin's endpoints. Monitor WordPress logs for unusual activity related to robots.txt modifications.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62148 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Robots.txt rewrite WordPress plugin, allowing attackers to modify the robots.txt file and potentially impact SEO and data exposure.
You are affected if you are using the Robots.txt rewrite plugin in WordPress versions 0.0.0 through 1.6.1. Upgrade to 1.6.2 or later to mitigate the risk.
Upgrade the Robots.txt rewrite plugin to version 1.6.2 or later. As a temporary workaround, restrict access to the plugin's settings page to authenticated administrators only.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information regarding CVE-2025-62148.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.