Platform
wordpress
Component
codeflavors-vimeo-video-post-lite
Fixed in
2.3.6
CVE-2025-68584 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Vimeotheque WordPress plugin. This flaw allows an attacker to potentially execute unauthorized actions on a user's account if they are tricked into clicking a malicious link. The vulnerability impacts versions of Vimeotheque from 0.0.0 through 2.3.5.2, and a fix is available in version 2.3.6.
A successful CSRF attack can lead to various malicious actions depending on the plugin's functionality and user permissions. An attacker could potentially modify video settings, delete videos, or even gain administrative access if the plugin has elevated privileges. The blast radius is limited to users of the Vimeotheque plugin, but the impact on individual users or websites could be significant if sensitive video content or configurations are compromised. This vulnerability highlights the importance of proper CSRF protection in WordPress plugins to prevent unauthorized modifications.
CVE-2025-68584 was published on 2025-12-24. No public proof-of-concept (POC) code has been identified as of this date. The vulnerability's severity is rated as MEDIUM (4.3 CVSS). It is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68584 is to upgrade the Vimeotheque plugin to version 2.3.6 or later. If immediate upgrading is not possible, implement temporary workarounds such as enabling a Web Application Firewall (WAF) with CSRF protection rules. Additionally, ensure that all user input is carefully validated and sanitized to prevent malicious requests. Consider implementing nonce-based CSRF protection within the plugin's code if feasible. After upgrading, verify the fix by attempting to trigger a CSRF attack and confirming that the action is blocked.
Update to version 2.3.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68584 is a Cross-Site Request Forgery (CSRF) vulnerability in the Vimeotheque WordPress plugin, allowing attackers to perform unauthorized actions if users click malicious links.
You are affected if you are using Vimeotheque versions 0.0.0 through 2.3.5.2. Upgrade to 2.3.6 to resolve the issue.
Upgrade the Vimeotheque plugin to version 2.3.6. As a temporary workaround, implement a WAF with CSRF protection or carefully validate user input.
There are currently no reports of active exploitation campaigns for CVE-2025-68584, but it's crucial to apply the fix promptly.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.