Platform
wordpress
Component
auto-prune-posts
Fixed in
3.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auto Prune Posts WordPress plugin. This flaw allows an attacker to trick authenticated users into performing actions they didn't intend, potentially leading to data deletion or configuration changes. The vulnerability affects versions from 0.0.0 through 3.0.0, and a fix is available in version 3.1.0.
The CSRF vulnerability in Auto Prune Posts allows an attacker to execute actions on behalf of a logged-in user without their knowledge. This could involve deleting posts, modifying pruning schedules, or altering other plugin settings. The impact is amplified if the affected WordPress site has administrative privileges assigned to the user being targeted. A successful attack could lead to data loss, disruption of service, and potential compromise of the entire WordPress installation. While no specific real-world exploitation has been publicly reported, CSRF vulnerabilities are frequently exploited in WordPress environments.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was disclosed on 2025-11-13. The CVSS score of 6.5 (MEDIUM) reflects the potential impact and relative ease of exploitation.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64262 is to upgrade the Auto Prune Posts plugin to version 3.1.0 or later. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Implement strict content security policies (CSP) to limit the sources from which scripts can be executed. After upgrading, verify the plugin's functionality and confirm that the CSRF protection is active by attempting to trigger a pruning action with a manipulated request.
Update to version 3.1.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64262 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Auto Prune Posts WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using Auto Prune Posts versions 0.0.0 through 3.0.0. Upgrade to 3.1.0 or later to mitigate the risk.
Upgrade the Auto Prune Posts plugin to version 3.1.0 or later. Consider implementing WAF rules and educating users about CSRF risks.
While no active exploitation has been publicly confirmed, CSRF vulnerabilities are frequently targeted, so vigilance is advised.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.