Platform
wordpress
Component
traderunner
Fixed in
3.14.1
CVE-2025-67625 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Trade Runner application. This flaw allows an attacker to trick authenticated users into unknowingly executing malicious actions. The vulnerability impacts versions of Trade Runner from 0.0.0 up to and including 3.14. A fix is available via an upgrade to a patched version.
A successful CSRF attack can have significant consequences. An attacker could leverage this vulnerability to modify user settings, initiate unauthorized transactions, or even gain control of the user's account. The impact is directly tied to the privileges of the compromised user account. For instance, an administrator account could be exploited to make widespread changes to the Trade Runner configuration or data. This vulnerability highlights the importance of proper input validation and CSRF protection mechanisms within web applications.
CVE-2025-67625 was publicly disclosed on 2025-12-24. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67625 is to upgrade Trade Runner to a version that includes the security fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. Additionally, consider using double-submit cookies or other CSRF protection mechanisms. After upgrading, verify the fix by attempting to trigger a CSRF attack using a known payload and confirming that the action is blocked.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67625 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Trade Runner versions 0.0.0 through 3.14, allowing attackers to perform unauthorized actions.
If you are using Trade Runner version 0.0.0 through 3.14, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade Trade Runner to a version that includes the security patch. If immediate upgrade is not possible, implement temporary workarounds like CSP headers.
As of the last update, there are no confirmed reports of active exploitation, but continuous monitoring is recommended.
Refer to the official Trade Runner website or security advisories for the most up-to-date information and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.